Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Only specific website || Fortigate Firewall ||

Hi ALL,

We have requirement for website, want to allow only specific websites at fortigate firewall. but we don't any web filter license on the firewall.

 

I want to confirm if can we do it or not.

5 REPLIES 5
Yurisk
Valued Contributor

Hi, yes, you can, using static URLs filter list in the Web Filtering. 

E.g. here I allow example.com and then block anything else:

 

Fortigate static URL filterFortigate static URL filter

 

Then use this Static-filter profile in security rules for outgoing web traffic. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
msanjaypadma
Staff
Staff

Hi Umesh,

 

You can use FQDN or  wild card FQDN  based policy. So where you can specify required website URL/FQDN address object and call that address object into firewall policy and action set to Accept.

Refer below article for the same : 
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/329154/support-for-wildcard-fqdn-add...

 

Thanks,

Mayur Padma

 

Mayur Padma
pbangari
Staff
Staff

adding to above configuration suggestion, make sure that the client and the Fortigate resolves the fqdn to the same IP address.

sw2090
Honored Contributor

you cannot use the url filter as suggested by Yuri unless you have a valid webfilter license.

But FQDN objects like suggested by Mayur will work.

Just create a policy that allows internet traffic only to this FQDN(s) and make sure anything else does not match any internet policy so it will be dropped by the implicit deny policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
henryweaver
New Contributor

If you're looking to restrict access to specific websites on a FortiGate firewall without a web filter license, you might have limited options since web filtering functionality is typically associated with such licenses. Check here in the below;

  1. DNS Filtering: You could create DNS policies that resolve specific domain names to an invalid or non-existent IP address. This can effectively block access to those websites, but it's not foolproof since users could potentially change their DNS settings.

  2. IP Address Blocking: If you know the IP addresses of the websites you want to block, you could create firewall policies to deny traffic to those specific IPs. This might be effective, but IP addresses can change and websites can have multiple IP addresses.

  3. Custom Firewall Rules: You can create custom firewall rules to block traffic to specific ports or IP ranges associated with the websites you want to restrict. This is a manual process and may not be as accurate as using a web filter.

  4. Hosts File Modification: On individual devices, you could modify the hosts file to redirect specific domain names to a non-existent IP address. This would block access to those domains on that particular device.

Labels
Top Kudoed Authors