Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alinbuletin
New Contributor

SSO, web filtering and facebook.com

Hi support,

I’m trying from more than 2 days now to block facebook.com for some users in our company.

Here is the situation: FSSO is installed on my domain controller to be able to filter the Internet access for 3 groups of users. This filtration works fine at this time.

Now I’m trying to limit even more, and block facebook, JUST for one of these groups.

I was looking at the fortigate document “blocking facebook.pdf” that is on the Internet, works fine except that ALL the https traffic is blocked if the SSL/SSH inspection is activated. Even if I override these filtrations is not working.

Is there any way to block JUST facebook.com for JUST one active directory group?

Thanks,

5 REPLIES 5
tcprado
New Contributor

Maybe you'll be able to help me. I'm trying the same thing, but I'm still unable to work on Single Sign On. Currently I only want authenticated users to surf the web but It just doesn't happen. They get send to the last rule that blocks all, as if fortigate was unable to identify that they are members of the group.

 

 

anshumansingh
New Contributor

i am having the exactly same problem..

 

Dave_Hall

Hi Anshuman.

 

Welcome to the forums.

 

You are responding to an ago old post - can you provide us the firmware/model running on the fgt, and more info on your problem.  Also how you are currently attempting to block face (web filter, url filter, app control, etc).

 

Facebook uses a wildcard * security certificate, so if your fgt is not performing "deep inspection", it will likely only see https connections to "*.facebook.com"; so using a wildcard URL block (e.g. *.facebook.com") should block it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
anshumansingh

Dear Hall,

thank you very much for your response on this thread. Actually i am a little bit frustrated from the support that Fortigate TAC has provided me on this case. i have a case number as well(1631638 && 1629447) which is going on since weeks but i haven't got any concrete solution till now. Okay now speaking about my scenario, i have attached the network diagram, where i am using this Fortigate 200D behind a cisco ASA and i want to use it for the UTM features(specially web filtering). Now i have created two virtual domains on my Fortigate unit(as you can see in my rough network diagram that i have attached), one VDOM for the internal network and one for the guest network and i have configured both of them in Transparent mode. Now i have integrated my LDAP(active directory server)with my VDOM-INTERNAL to enforce policies based on user group levels. I have also configured FSSO collector in my AD server and integrated the FSSO agent inside the Fortigate unit(with administrator credentials). Now i can also monitor the users logging in through the AD inside my Traffic logs.

But unfortunately, i am unable to enforce any policy based on my user groups. whenever i try to do that with deep inspection on, the whole internet connectivity goes down. i am also attaching my config file. i will really be very thankful if i get a resolution on this matter. 

i have tried each and every possible ways to rectify this issue, but still no luck. 

 

i cannot attach any conf file or any image here,if possible please reply me with your email ID where i can send you all details.

Thanks in advance.

 

 

Anshuman singh  anshuman.singh@netsoftit.com 

+971555012936

 

razor
New Contributor III

You probably activated "deep inspection". This required a certificate installed on the clients to perform ssl inspections. If you activate the certificate inspection you're still able to block websites, because this feature will use the common name from certificates to block websites.

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors