Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Creating a URL Whitelist for an SSID

I'm the "IT guy" at a small manufacturing company, but kind of a noob at firewall configs. We have several computers on the shop floor used to access an intranet to get production drawings and the like from a local LAN server.  These machines do not have access to the internet, only the resources on the local LAN via a specific SSID..  We are changing our anti-virus system to "WebRoot" that requires the end points to have access to the internet in order to get signature files and be managed from the cloud. I'm trying to create a URL based white-list to allow these shop floor machines to be able to connect to the needed webroot servers but still block all other internet traffic on that SSID.  What I've done so far: Device: 200D Firewall OS: 5.4.1 I started by creating a policy that will allow the SSID to have internet access.  The policy works, enabled they get full internet, disabled, no internet.  Good so far. I then created a Web filter under Security Profiles (see pic attached), this is where it starts to get foggy for me.  I initially created one URL filter using a wildcard of "*" and an action of "Block". Assuming that if this filter was added and enabled on the previous policy that it would block all internet traffic other than sites listed above it. This part is not working, we are still getting access most internet sites, though some sites come up as blocked, but far from the white-list I'm hoping for.  Using the 5.4 FortiOS handbook is a bit overwhelming for what I think should be a basic task.  I could also be coming at this from entirely the wrong direction. Any help in accomplishing this task would be greatly appreciated.

Thanks in advance.


Symantec Endpoint Protection Management, Windows System Update Service allow me to create a Virtual Machine Server on our domain to push out updates to the users without them going to the internet to get them?   The benefit of this is 1.) Only one server goes to the internet for updates instead of every workstation and VM 2.) I can decline what I don't want installed 3.) I can see who is upgraded and what has failed. Can your application be installed on a VM like these?


We've looked at a product like Symantec that has a central console that can push updates to non-internet connected LAN machines.  There are a few reasons we are not going that route.  Webroot's model works well for us.  So creating a filter that will allow ONLY access to the sites needed for Webroot to work is what I need to do. I have made some progress, and might have a workable solution sometime tomorrow.  I'm getting a better understanding of how Fortinet handles web filtering as well as SSL based filtering, so what I'm learning here has some value that way.   Thanks for the reply!


All I'm looking to do is create an SSID that has web access limited to about a dozen sites, ALL other sites are blocked.  This seems like it should be a straight forward function of a firewall.  Why does this seem so difficult?  I want to create a whitelist, if a site is on the whitelist, it gets in, if not on that whitelist it gets blocked. Currently I have it so that all non whitelisted HTTP sites are blocked (using web filter), as well as many HTTPS sites (though not all, by using SSL/SSH Inspection as recommended by another source).  How can I block all sites EXCEPT for those on my whitelist.  This should not be that difficult to accomplish, or is my understanding of this not accurate?


So you need a rule for a few computers/servers that only allow a few sites in and blocks all other traffic.   Can you move them to their own VLAN to isolate them better.  You can create a VLAN based rule using an ACL list that allows only TCP traffic to those sites and blocks IP ANY ANY is how I would do it in Cisco.  Only Fortinet, I would do a IPv4 policy like this Policy 3:  Allow VLAN traffic to those sites Policy 4:  Deny VLAN traffic for IP

By placing them in a separate VLAN, you can add machines later on.  




I setup my 60E over the weekend.   It has a Interface called LAN (it was the default name) that is setup for only WIFI.  WIFI group would be the devices in that SSID. LAN is not tied to any interfaces on the device.   So it is just a virtual interface that has all the WIFI traffic from FWF-60E wife.  So I have an outbound rule for LAN to WAN1.  This allows LAN (all WIFI traffic) out to the internet with any traffic.   I can post it tonight, the setup. 


SOURCE:  those workstations / servers in a address group

DESTINATION:  The sites you want them only to use SERVICE: HTTPS (443) and HTTP (80) ports only Put it as top rule


Rule underneath it would be denying them from everything else.  


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors