Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scerazy
New Contributor III

Need to exempt access to www.msftconnecttest.com

FTG no matter what firmware version does not allow wildcard

This DNS entry resolves to a server farm *.c-msedge.net

 

And I need unrestricted access from any device on the network no matter what user web policies are

 

Any ideas?

 

Seb

21 REPLIES 21
scerazy
New Contributor III

Sadly placing the *.* Block makes a total mess of Internet access, as machines that did not authenticate against any rules above are no longer allowed to access Internet at all, I mean there is NO firewall login popup, so user can authenticate

 

If configured in rules above SSO works, as does all IP exceptions

 

With *.* Block all the user gets if flat Access Blocked.

So while it "works", it is in the most drastic way possible!

 

I often have to access Internet from machines that are not domain joined (various VMs) and not necessary having any exemptions in rules. Normally for Internet access I do user login when needed & all is good

 

So not a perfect solution!

 

Seb

dmcquade
New Contributor III

You use *.* set to block in a URL filter ONLY when using strictly the URL filter. This forces you to create a static list of allowed URLs (above the block) which is very useful for strict Internet access (i.e. servers, admin accounts, etc.).

 

For normal users, use the Fortiguard categories in combination with the URL filter. In the URL filter, only create exceptions to the categories. So if you block File Storage but want to allow Dropbox, add *.dropbox.com in the URL Filter set to allow or exempt. If you want to allow Social networking, but block Facebook, enable the category in Fortiguard Categories and create a URL filter entry for *.facebook.com set to block.

 

The configuration options in the Web Filter profiles are fairly robust and can pretty much accommodate any Internet Usage policy. If you want to use wildcard FQDNs in the destination, you may want to create an Explicit Proxy policy.

 

HTH

d

scerazy
New Contributor III

I see you either do not get it or you never experienced the issue.

 

Various set of rules to allow users access to Internet (mix of source IP exceptions, various SSO rules etc)

Then default Deny rule

 

In that setup if the user is not caught be any of the rules above it will be asked to authenticate to Firewall with Fortigate logon screen.

 

If I now add one before last (default Deny) rule for access to various MS Update sites (webfilter with URL without *.* Deny included)

ANYBODY that was not processed by any previous rule will be allowed access to ANYWHERE

 

If I do add the *.* Deny to the ANYBODY that was not processed by any previous rule will be DENIED access to ANYWHERE without an option to login!

 

Web Page Blocked!

 

So while it might work for what you are doing, but does NOT work in my setup

 

Seb

 

 

dmcquade
New Contributor III

I get what you are saying and in my opinion that is just very bad logic in what you described. Basically you are stating you want unknown users the ability to browse anywhere. That implies someone could connect a rougue device and introduce malicious content into your network. I am sure there are much better ways to achieve what your end goal is. If you truly believe your logic is correct just create a rule allowing access with no security profiles. That would allow any device / user hitting that rule access to the entire web but I still be it is a flawed design as I believe most others would. I have completed several dozen installations for clients and have never heard anyone request any such design.

 

Good luck

scerazy
New Contributor III

Ok, I see you do not understand at all! That is exactly what I do NOT want (and no network admin ever would want), but that what your "solution" creates as byproduct All I want is unrestricted access to a couple of wildcard domains that must be accessible by Windows 10 updates EVEN if local WSUS is used. And Fortinet simply can not do it! Seb
dmcquade
New Contributor III

I've setup dozens of installations that have WSUS get updates. It is actually quite easy and common setup. Not sure why you are having so much trouble. Maybe you simply do not understand.

scerazy
New Contributor III

I tell you while you do not have problems, because you never tried to make machines get updates with no user logged in, or one of your rules leaks such access, or you have Do not connect to any Windows Update Internet locations: Enabled (which by the way affects in random way access to ie Windows Store)

Please read the whole explanation here - Why WSUS and SCCM managed clients are reaching out to Microsoft Online

Maybe you can learn something new?

 

Seb

dmcquade
New Contributor III

I tried to help but maybe you don't really want it. You sound more interested in bashing a product's features that you don't really know how to implement properly.

No user auth required for WSUS servers to properly get updates from the Internet. You just need to know how to configure your policies. Again, not sure why this works for hundreds of clients and not you.

Good luck.

scerazy
New Contributor III

I see you can not even read (or can't be bothered or do not understand what you read)

You tried to help, you failed. No need to defend the product that is not capable to do what it should

End of

 

 

 

dmcquade
New Contributor III

Like I said, good luck. Works fine for me and dozens of others. Try thinking about it differently and maybe you will see the answer.

Labels
Top Kudoed Authors