Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Need to exempt access to www.msftconnecttest.c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to exempt access to www.msftconnecttest.com
FTG no matter what firmware version does not allow wildcard
This DNS entry resolves to a server farm *.c-msedge.net
And I need unrestricted access from any device on the network no matter what user web policies are
Any ideas?
Seb
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sadly placing the *.* Block makes a total mess of Internet access, as machines that did not authenticate against any rules above are no longer allowed to access Internet at all, I mean there is NO firewall login popup, so user can authenticate
If configured in rules above SSO works, as does all IP exceptions
With *.* Block all the user gets if flat Access Blocked.
So while it "works", it is in the most drastic way possible!
I often have to access Internet from machines that are not domain joined (various VMs) and not necessary having any exemptions in rules. Normally for Internet access I do user login when needed & all is good
So not a perfect solution!
Seb
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use *.* set to block in a URL filter ONLY when using strictly the URL filter. This forces you to create a static list of allowed URLs (above the block) which is very useful for strict Internet access (i.e. servers, admin accounts, etc.).
For normal users, use the Fortiguard categories in combination with the URL filter. In the URL filter, only create exceptions to the categories. So if you block File Storage but want to allow Dropbox, add *.dropbox.com in the URL Filter set to allow or exempt. If you want to allow Social networking, but block Facebook, enable the category in Fortiguard Categories and create a URL filter entry for *.facebook.com set to block.
The configuration options in the Web Filter profiles are fairly robust and can pretty much accommodate any Internet Usage policy. If you want to use wildcard FQDNs in the destination, you may want to create an Explicit Proxy policy.
HTH
d
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see you either do not get it or you never experienced the issue.
Various set of rules to allow users access to Internet (mix of source IP exceptions, various SSO rules etc)
Then default Deny rule
In that setup if the user is not caught be any of the rules above it will be asked to authenticate to Firewall with Fortigate logon screen.
If I now add one before last (default Deny) rule for access to various MS Update sites (webfilter with URL without *.* Deny included)
ANYBODY that was not processed by any previous rule will be allowed access to ANYWHERE
If I do add the *.* Deny to the ANYBODY that was not processed by any previous rule will be DENIED access to ANYWHERE without an option to login!
Web Page Blocked!
So while it might work for what you are doing, but does NOT work in my setup
Seb
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get what you are saying and in my opinion that is just very bad logic in what you described. Basically you are stating you want unknown users the ability to browse anywhere. That implies someone could connect a rougue device and introduce malicious content into your network. I am sure there are much better ways to achieve what your end goal is. If you truly believe your logic is correct just create a rule allowing access with no security profiles. That would allow any device / user hitting that rule access to the entire web but I still be it is a flawed design as I believe most others would. I have completed several dozen installations for clients and have never heard anyone request any such design.
Good luck
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I see you do not understand at all!
That is exactly what I do NOT want (and no network admin ever would want), but that what your "solution" creates as byproduct
All I want is unrestricted access to a couple of wildcard domains that must be accessible by Windows 10 updates EVEN if local WSUS is used.
And Fortinet simply can not do it!
Seb
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've setup dozens of installations that have WSUS get updates. It is actually quite easy and common setup. Not sure why you are having so much trouble. Maybe you simply do not understand.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tell you while you do not have problems, because you never tried to make machines get updates with no user logged in, or one of your rules leaks such access, or you have Do not connect to any Windows Update Internet locations: Enabled (which by the way affects in random way access to ie Windows Store)
Please read the whole explanation here - Why WSUS and SCCM managed clients are reaching out to Microsoft Online
Maybe you can learn something new?
Seb
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to help but maybe you don't really want it. You sound more interested in bashing a product's features that you don't really know how to implement properly.
No user auth required for WSUS servers to properly get updates from the Internet. You just need to know how to configure your policies. Again, not sure why this works for hundreds of clients and not you.
Good luck.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see you can not even read (or can't be bothered or do not understand what you read)
You tried to help, you failed. No need to defend the product that is not capable to do what it should
End of
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like I said, good luck. Works fine for me and dozens of others. Try thinking about it differently and maybe you will see the answer.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,718 -
FortiClient
1,767 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.