Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CrawfCol
New Contributor

Restrict Internet Access for certain Hosts

We have a number of Hosts on our network, where we would like to limit the URLs they can access out on the Internet.

 

They will be limited to accessing only a small number of specific URLs.

 

I'm pretty sure this can be done, using Address Groups and Addresses maybe (MAC Address).  But has anyone done this and can they point me to a good guide?

6 REPLIES 6
nomeursy
New Contributor III

If you only want to allow FQDN's then you can add teh specific FQDN as a Address_Object and group them in an Address_Group. Then allow in a policy only HTTP(s) to this Address_Group.

If you want to use a URL, then you could do it with URL filters on the WEB-filter but if I remember correctly, you need to enable SSL deepinspection when the URL's are HTTPS

Debbie_FTNT

Deep-inspection is NOT required for HTTPS websites, but certificate inspection is; FortiGate will pull URL information from the certificate subject and subject Alternate Name fields for webfiltering purposes.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
chatroomwebcam
New Contributor

Bandwidth Management: Bandwidth abuse causes severe latency and network crashes. Organizations will use a bandwidth analyzer to identify the users and websites responsible for the excessive bandwidth usage, later adding them to their internet blacklist to prevent future abuse. Network & Computer Security: By preventing users from accessing malicious websites that are known to contain malware, an internet filter provides critical security controls for protecting sensitive data Productivity Management: Content filters are used to block access to distracting websites and computer applications such as social media sites, computer games, and video streaming services.

Chatroom
bpozdena_FTNT

There are many ways to achieve this behavior. The bellow suggestion assumes the hosts in question have Fortigate's IP address set as the default gateway:

 

1)Create MAC address objects for your hosts and specify them as source in your firewall policy [Ref.: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/485133/mac-address-based-policies ]

2)Create a webfilter profile where only the URLs you need are allowed, then add the webfilter profile to the above firewall policy.  [Ref.: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/615462/url-filter ]

 

Note that most websites require whitelisting of multiple domain names to load properly. Always use developer tools in your browser to see which resource is not accessible and whitelist it in your URL filter as needed. [ Ref: https://developer.chrome.com/docs/devtools/network/ ]

HTH,
Boris
jboyssac95
New Contributor

pavankr5
Staff
Staff

Hello ,

 

Please check this article on configuring FortiGate Firewall Policy to block traffic for one or more IP addresses 
https://community.fortinet.com/t5/FortiGate/Technical-Note-Configuring-FortiGate-Firewall-Policy-to-... 
let us know if you have any queries.

Thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors