White listing internal IP addresses is incredibly complicated for no reason right now. I've been reading through posts about how to do it all day, trying to find a solution that works and I cant help but think that it could just be developed a better way. Here is what I suggest: with the fortigate 60D
Under - Security Profiles>Web filter>Allow users to override blocked categories
there is an option called "switch applies to" where you can select IP, however it doesn't let you enter an IP or even change any of the options.
Why not make it so I can simply add an IP to that category and then that IP will be able to override the filter.
Not only will this make it easier for users but will also make sudden changes to a networks needs to be easier to implement.
There are many users who have asked this question online so it would definitely help customers and I doubt it would be any harder/costly to develop than wasting money having technicians spend their time replying to posts year after year to solve the same issue for every customer that can't figure out how to implement this with their specific needs.
It would also vastly help people filtering windows updates which has to be a concern for anyone using your product.
Thanks, Hope y'all take my suggestion seriously
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I imagine you are referring to whitelisting IP addresses in regards to web filtering? That is already very possible and easy to implement. In short- you create a policy above your "main" web filtering policy with the IPs you want to whitelist as the destination.
The firewall processes traffic according to the policies from top down, so you need to make sure your policies are set from most specific to least in order to properly handle traffic without causing shadowed or redundant rules. In a simple example, you have a policy for web access with the source as all internal IPs, destination all external IPs, services HTTP and HTTPS, with a web filter security profile inspecting traffic. Create an address group called "web filter exempt destinations" or whatever you want to call it. Add address objects to that group with the IP addresses of the destinations you want to exempt. Create a new policy above your main web filter policy with the source as all internal IPs (or whichever internal address objects are allowed to get exempted), destination as web filter exempt destinations, services HTTP and HTTPS, and no web filter policy (or a different web filter that only monitors). When you find you need an IP whitelisted, just create an address object for it and add it to the exempt address group.
The traffic flow will be that your client will hit the first rule when browsing to a page hosted on exempted IPs and not get web filter blocked, but when they browse to other sites they will get the second more broad policy with standard filtering.
The first caveat to this is if your exempt list starts to contain many addresses, it may affect firewall performance (especially on smaller models) as the system needs to parse through a much larger and more complex ruleset. In general, pure firewalling performance is much faster than traffic inspection and it might not realistically become noticeable in most cases, but probably avoid hundreds or thousands of individual address objects.
You want to be very careful about whitelisting external IPs, especially if they are on shared hosting. If something bad is hosted at the same IP address as something you originally whitelisted, the firewall will not really be able to tell and will let that traffic through. This is less of an issue for trusted vendors or internal or DMZ web pages.
If you do web filter based usage reporting, you may want to create a separate web filter that does monitor only to keep visibility into the web traffic for these addresses. We do periodic reviews of web usage to find things out of the ordinary- exempting a bunch of traffic from web filtering altogether would skew some of this data since it would not be picked up. This would also help with the previous issue as it would pick up the URL being requested and if someone notices a bad URL passing through the exemption rule, you could perform some tweaking to stop it.
CISSP, NSE4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.