We have a number of Hosts on our network, where we would like to limit the URLs they can access out on the Internet.
They will be limited to accessing only a small number of specific URLs.
I'm pretty sure this can be done, using Address Groups and Addresses maybe (MAC Address). But has anyone done this and can they point me to a good guide?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you only want to allow FQDN's then you can add teh specific FQDN as a Address_Object and group them in an Address_Group. Then allow in a policy only HTTP(s) to this Address_Group.
If you want to use a URL, then you could do it with URL filters on the WEB-filter but if I remember correctly, you need to enable SSL deepinspection when the URL's are HTTPS
Deep-inspection is NOT required for HTTPS websites, but certificate inspection is; FortiGate will pull URL information from the certificate subject and subject Alternate Name fields for webfiltering purposes.
Bandwidth Management: Bandwidth abuse causes severe latency and network crashes. Organizations will use a bandwidth analyzer to identify the users and websites responsible for the excessive bandwidth usage, later adding them to their internet blacklist to prevent future abuse. Network & Computer Security: By preventing users from accessing malicious websites that are known to contain malware, an internet filter provides critical security controls for protecting sensitive data Productivity Management: Content filters are used to block access to distracting websites and computer applications such as social media sites, computer games, and video streaming services.
There are many ways to achieve this behavior. The bellow suggestion assumes the hosts in question have Fortigate's IP address set as the default gateway:
1)Create MAC address objects for your hosts and specify them as source in your firewall policy [Ref.: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/485133/mac-address-based-policies ]
2)Create a webfilter profile where only the URLs you need are allowed, then add the webfilter profile to the above firewall policy. [Ref.: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/615462/url-filter ]
Note that most websites require whitelisting of multiple domain names to load properly. Always use developer tools in your browser to see which resource is not accessible and whitelist it in your URL filter as needed. [ Ref: https://developer.chrome.com/docs/devtools/network/ ]
Found this example that may work: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/701862/blocking-facebook-with-web-filter...
Hello ,
Please check this article on configuring FortiGate Firewall Policy to block traffic for one or more IP addresses
https://community.fortinet.com/t5/FortiGate/Technical-Note-Configuring-FortiGate-Firewall-Policy-to-...
let us know if you have any queries.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.