Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Setting up multiple web filter policies (Fortigate 60E, 6.0.12)



So first off, let me start by prefacing all of this with the fact that I have next to nothing for experience with firewalls.  I am the sole IT person for this company and was thrust into this role when the company I used to worked for sold off the site I was based out of and, well, I went with the sale.  (I was working as IT for them, for several years, but they had certain duties and responsibilities siloed off, so if you had an issue with something that was outside of your responsibility, you were required to contact someone else.  As such, prior to the sale, I never had an opportunity to learn anything about firewalls.)  When the sale happened, I was able to pull in an engineer I knew to help with initial planning and setting up of everything (including this firewall), but as of now the company has next to nothing for money, so I'm on my own.


I'm trying to reconfigure this firewall so that instead of its using 1 web filter for everyone, it has multiple that can be applied based on the user's AD group.  I have figured out how to enable multiple profiles (System -> Feature Visibility -> Multiple Security Profiles) and created a new web filter I'm labeling as "Restricted Web Access".  To start, I've set it to block everything except for a couple specific websites related to our email (and I'm still learning how to properly use the filters, so I may have done something wrong here, too).


Next, I created the user group that this was going to apply to.  Now, the engineer we had hired previously, when he setup our VPN access and tied it to an AD user group, he did so via RADIUS (none of the online documentation I've found so far sets up a web filter policy with RADIUS).  As this is our sole firewall and I'm trying hard not to accidentally goof anything up, I'm just trying to follow in his footsteps.  In AD, I created a new user group and called it "BBWebFilter-Restricted" (and added myself to it for testing purposes).  In the firewall, I looked at what he had done for the "VPN Users" group and attempted to duplicate it, creating a "BBWebFilter-Restricted" user group on the firewall.  For the Remote Groups of the user group, I added the remote server RADIUS connection he had setup, and left Groups as Any (as this is what he had done with the VPN Users group), though I have tried setting it for Specify and putting in the specific AD group name as well (and to be honest, I have no idea what I'm doing here... first time working with a RADIUS server connection).


Next, I attempted to setup the policy for it.  Under Policy & Objects -> IPv4 Policy, the engineer already had an "OutboundTraffic" policy setup for all of our internet bound traffic and the default web filter applied to it.  Again, using his policy as a template (and some online material I had found), I duplicated his setup in a new policy I called "Outbound Web Filter - Restricted", with the only changes being to add the "BBWebFilter-Restricted" user group into the Sources field, and set the web filter option to use the "Restricted Web Access" web filter I had created.


It doesn't seem to work.  The default web filter policy is still being applied to my user account.  When I created the new policy, I noticed that it listed it after the original policy and that it would let me reorder them, so on the assumption that order matters, I also dragged my new policy to be above the old.  Still doesn't work.


Obviously I've done something wrong, but I don't have any idea what, and the material I can find online has setting up the AD server connection differently (either via Direct Poll or FSSO).  I don't know if that matters?  I mean, the VPN part seems to work just fine with the RADIUS server connection.  If you're in the VPN Users AD group, you can connect.  If you're not, you can't.  (Though, as I'm getting ready to post this and just double checking through everything, I'm now seeing that he not only has a user group of VPN Users on the firewall, but he also created a user (non-group) VPN Users on the firewall???  So now I'm not so sure....)


If there's someone who has the patience to work through this with me, or if someone knows of a more detailed doc that's closer to the situation I'm dealing with, it would be appreciated.


I took some screenshots, but as this site is limiting me to 1 attachment max of 200 K, I've uploaded them to imgur.



Thank you.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors