Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lexx
New Contributor

IP

Hello, Im new to fortigate and was wondering if anyone knows how to exempt a specific ip address from web filtering? Thanks in advance

1 Solution
Toshi_Esumi
SuperUser
SuperUser

Probably same as any other firewalls. I would create a new policy for HTTP/HTTPS and specify the IP as the destination address and "accept" action, then don't apply the web filtering profile. And then place/move it one above the existing web filtering policy.

View solution in original post

13 REPLIES 13
Toshi_Esumi
SuperUser
SuperUser

Probably same as any other firewalls. I would create a new policy for HTTP/HTTPS and specify the IP as the destination address and "accept" action, then don't apply the web filtering profile. And then place/move it one above the existing web filtering policy.

Toshi_Esumi

You probably meant a "source IP" to exempt. Then put it in the source address on the new policy.

lexx

ok i've tried but getting more and more confused. Can anyone walk me through he steps or anything similar please? Much appreciate it

ShawnZA
Contributor II

Yes it can be done. Do you want to exempt an internal IP (User or device) or an external IP/website?

lexx
New Contributor

Exempt an internal IP and also a mobile device for my boss please if you could provide guidance.

ShawnZA
Contributor II

Not sure how to add multiple screenshots, so will reply a few times, sorry.

First create the address with the IP of the device as per the attached screenshot

 

 

 

 

 

ShawnZA

Once address created go to Policy And Objects and create a new IPv4 Policy, just make sure the new policy is moved above the policy that the phone is currently hitting on the firewall.

 

Source will be the IP of the device you created

Select whatever services you need, HTTP, HTTPS etc

Do not select the security profiles, or only select the ones you want....

That should be it, if the policy is above the current one the phone will hit the new policy and be excluded from the security scan profiles.

 

 

 

 

Toshi_Esumi

Don't forget to move it above existing policies. You can "drag" it by "ID". FW polcies work in "waterfall" logic from top toward bottom. If anything above matches the traffic including that IP, it wouldn't get to the policy you created.

lexx
New Contributor

Thanks this worked like a charm with my boss phone! Just a quick question, will the phone IP change once the user disconnects from the wifi since our network in using DHCP to distribute IP addresses?

 

And this can also be done to a PC using the same steps?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors