Hi,
We are using Fortigate 200A with version 4.0 (MR2 Patch 2) and Fortiguard license expired.
Now, we are planning to block few websites to overcome Internet Bandwidth high utilization issue.
I have configured Webfilter under UTM services, but it does not work. I think its because of no FortiGuard active licence.
I heard that we can use Static Filter list here. Can someone guide me, how to use it, since I do not see static filter option in GUI mode. Or is there any other way to block websites without having Fortiguard active license.
Thanks and Regards
Naveen
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The whole thing won't work without a license.
I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.
You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard allowance. BTW I've done this in K-12 edu with site allowances.
Be very very very careful in your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.
PCNSE
NSE
StrongSwan
navin.cool wrote:Yes my license is active.you are referring static filtering as web filter, which is part of Fortiguard services.
So, in your case, do you have active fortiguard license ?
For me, this license expired already.
Inside webfilter below the categories you see the url filter option. And yes it's in web filter.
With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.
and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on.
Thanks for your reply.
I know, webfilter will not work without active Fortigaurd license.
Hence, we need to go with Static Filter for time being (until get the new license).
So, can you please share me the configuration steps and your observations, after you finish with Fortinet TAC.
what exactly is static filtering, you are referring to the url filter option with webfilter right?
The whole thing won't work without a license.
The whole thing won't work without a license.
I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.
You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard allowance. BTW I've done this in K-12 edu with site allowances.
Be very very very careful in your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.
PCNSE
NSE
StrongSwan
emnoc wrote:
The whole thing won't work without a license.
I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.
You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard allowance. BTW I've done this in K-12 edu with site allowances.
Be very very very careful in your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.
while we're at it, i have a client who wants to block facebook over https without having to install the ssl cert in 100+ PCs, I tried and tested this with wildcard block but simply fails.
So this is not possible right? For some reason FTNT has a doc which says this can done. And the TAC pointed me out to the same. But when I tried this it only work with the cert installed on the pc if not then starts block all legit https sites as well.
Do you have Fortiguard service license and is it active? In that example you reference, I believe they are blocking by web category ( Social Networking ) and by extracting the CN field from the cert , so we can drop the session without ssl-deep-scan
e.g look at the receiving the cert in the server.hello
id-at-commonName=*.facebook.com
PCNSE
NSE
StrongSwan
Hi both,
I am referring to static URL filter (create static entries), but not using web filter (which is part of FortiGuard Services).
So, I understand by using static URL filter we can block only http/www websites, but not https.
If we want to block https traffic aswell, we need to go with SSL full inspection and install the ssl certificate in all client machines, after we generate it from FortiGuard firewall.
Please correct me, if I am wrong.
Also I do not see "Security Profile" option in GUI in Fortigate 200A with 4.0 MR2 version, to start with static URLfilter. Please guide me on the procedure.
navin.cool wrote:Hi both,
I am referring to static URL filter (create static entries), but not using web filter (which is part of FortiGuard Services).
So, I understand by using static URL filter we can block only http/www websites, but not https.
If we want to block https traffic aswell, we need to go with SSL full inspection and install the ssl certificate in all client machines, after we generate it from FortiGuard firewall.
Please correct me, if I am wrong.
Also I do not see "Security Profile" option in GUI in Fortigate 200A with 4.0 MR2 version, to start with static URLfilter. Please guide me on the procedure.
You can refer to this doc
You can't see the webfilter option in your policies then you need to turn webfilter on from the system>config>features.
Try both *.facebook and dot com is all that I can suggest.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.