Hi,
We are using Fortigate 200A with version 4.0 (MR2 Patch 2) and Fortiguard license expired.
Now, we are planning to block few websites to overcome Internet Bandwidth high utilization issue.
I have configured Webfilter under UTM services, but it does not work. I think its because of no FortiGuard active licence.
I heard that we can use Static Filter list here. Can someone guide me, how to use it, since I do not see static filter option in GUI mode. Or is there any other way to block websites without having Fortiguard active license.
Thanks and Regards
Naveen
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The whole thing won't work without a license.
I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.
You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard allowance. BTW I've done this in K-12 edu with site allowances.
Be very very very careful in your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.
PCNSE
NSE
StrongSwan
navin.cool wrote:Yes my license is active.you are referring static filtering as web filter, which is part of Fortiguard services.
So, in your case, do you have active fortiguard license ?
For me, this license expired already.
Inside webfilter below the categories you see the url filter option. And yes it's in web filter.
I can see "web filter" under UTM. But I think this is part of FortiGuard.
The doc which you suggested is referring to the same.
But I am looking for static Filtering. How to start with "Static Filter" configuration ?
navin.cool wrote:I can see "web filter" under UTM. But I think this is part of FortiGuard.
The doc which you suggested is referring to the same.
But I am looking for static Filtering. How to start with "Static Filter" configuration ?
I really don't think there is any such feature, did you this in any docs or videos? Share that link, maybe we can figure something out then.
Even googling "fortigate static filter" brings up url filter in the results.
Also you should try their chat support.
ahhhh, then what you mean for below one of your reply.
----------------------------------------------------------------------------------------------------------------------
"With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.
and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on."
----------------------------------------------------------------------------------------------------------------------
I too get the same result when I do googling :)
navin.cool wrote:ahhhh, then what you mean for below one of your reply.
----------------------------------------------------------------------------------------------------------------------
"With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.
and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on."
----------------------------------------------------------------------------------------------------------------------
I too get the same result when I do googling :)
i was referring to url filter as static filtering all along as i thought you were doing the same. My requirement was to block https without ssl inspection which is current on going. So static filtering is used there, but i doubt it can block https. So waiting for TAC's further response now.
you are referring static filtering as web filter, which is part of Fortiguard services.
So, in your case, do you have active fortiguard license ?
For me, this license expired already.
navin.cool wrote:Yes my license is active.you are referring static filtering as web filter, which is part of Fortiguard services.
So, in your case, do you have active fortiguard license ?
For me, this license expired already.
Inside webfilter below the categories you see the url filter option. And yes it's in web filter.
Ok, its clear now.
So, in my case I can not do any filtering, until get the new fortiguard license.
Thanks guys, for your great knowledge sharing.
emnoc wrote:Do you have Fortiguard service license and is it active? In that example you reference, I believe they are blocking by web category ( Social Networking ) and by extracting the CN field from the cert , so we can drop the session without ssl-deep-scan
e.g look at the receiving the cert in the server.hello
id-at-commonName=*.facebook.com
are you saying we ought to use this exact name as shown in the cert. In TAC's response he suggested *.facebook.*
Further in the doc on using url filter, they only ask you to use *facebook.com.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.