Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raafat
New Contributor

Created on ‎06-07-2021 05:42 AM

How to cascade Web Filter Policies in Web Proxy?

Hello,

 

At our company we need to allow specific websites to specific users on top of what is allowed company-wide. The thing is we need to mix and match what websites are allowed for which users. 

 

For example:

User A will have access to x.com and y.net

User B will have access to y.net and z.org

User C will have access to x.com and z.org

 

Our previous Web Gateway allowed us to create policies in which we allow specific users to visit specific URLs; if a user is not in the policy or the website is not defined, it doesn't take any action but rather evaluate the next policy and so on till and if no policy matched the request, then the default policy is applied.

 

If I create a web filter rule and disable category filtering and add the specific URL to be allowed to this rule and, for example, I create another rule that blocks all websites and add the first web filter rule to a proxy policy with specific users and add the other web filter rule to another proxy policy that has all users defined in the source, I find that ALL websites are allowed as the first policy really does not evaluate anything and don't even show up in the logs instead of the firewall evaluating the next policy.

 

I am using FortiOS 6.4.6, is this a bug in this release or this is not a feature of FortiOS? Can anyone provide workarounds that have the same effect as what were doing originally with our old web proxy? 

 

2967
0 Kudos
4 REPLIES 4
abarushka
Staff
Staff

Created on ‎06-07-2022 04:26 AM

Hello,

 

Please find the details regarding webfilter execution order by following the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filtering-order-of-execution/ta-p/1961...

 

You may consider 2 options:

 

- block all FortiGuard webfilter categories and exempt certain URLs under webfilter profile

 

- create policies and configure allowed URLs as destination

FortiGate
1916
0 Kudos
KingHolly
New Contributor

Created on ‎06-16-2022 11:37 AM

I have been looking into the same thing. Even used "cascade" in my search terms.

 

Have you tried setting the NGFW mode under Settings to "Policy-based"? I can't say for certain it will solve your issue, but it approaches firewall rules in a different manner. I am currently testing that setting. I will come back and comment if I find some success with it.

1890
0 Kudos
KingHolly
New Contributor

Created on ‎06-16-2022 01:10 PM

This may provide an answer to your question. There is an implicit fall-through to rules without authentication. Read the links to know more. In the second link, there appears to be a way in the CLI to change that behavior. My use case for cascading firewall rules is outside the realm of authentication, but maybe this helps you.

 

 
1885
0 Kudos
vsahu
Staff
Staff

Created on ‎03-30-2023 04:11 AM

Hello,

 

If I understood the issue correctly you want to provide the web filter profile based on users, you can use the web profile override it might help.

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/408599/web-profile-override

Regards,
Vishal
1549
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.