- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Setting up multiple web filter policies (Fortigate...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up multiple web filter policies (Fortigate 60E, 6.0.12)
Hello,
So first off, let me start by prefacing all of this with the fact that I have next to nothing for experience with firewalls. I am the sole IT person for this company and was thrust into this role when the company I used to worked for sold off the site I was based out of and, well, I went with the sale. (I was working as IT for them, for several years, but they had certain duties and responsibilities siloed off, so if you had an issue with something that was outside of your responsibility, you were required to contact someone else. As such, prior to the sale, I never had an opportunity to learn anything about firewalls.) When the sale happened, I was able to pull in an engineer I knew to help with initial planning and setting up of everything (including this firewall), but as of now the company has next to nothing for money, so I'm on my own.
I'm trying to reconfigure this firewall so that instead of its using 1 web filter for everyone, it has multiple that can be applied based on the user's AD group. I have figured out how to enable multiple profiles (System -> Feature Visibility -> Multiple Security Profiles) and created a new web filter I'm labeling as "Restricted Web Access". To start, I've set it to block everything except for a couple specific websites related to our email (and I'm still learning how to properly use the filters, so I may have done something wrong here, too).
Next, I created the user group that this was going to apply to. Now, the engineer we had hired previously, when he setup our VPN access and tied it to an AD user group, he did so via RADIUS (none of the online documentation I've found so far sets up a web filter policy with RADIUS). As this is our sole firewall and I'm trying hard not to accidentally goof anything up, I'm just trying to follow in his footsteps. In AD, I created a new user group and called it "BBWebFilter-Restricted" (and added myself to it for testing purposes). In the firewall, I looked at what he had done for the "VPN Users" group and attempted to duplicate it, creating a "BBWebFilter-Restricted" user group on the firewall. For the Remote Groups of the user group, I added the remote server RADIUS connection he had setup, and left Groups as Any (as this is what he had done with the VPN Users group), though I have tried setting it for Specify and putting in the specific AD group name as well (and to be honest, I have no idea what I'm doing here... first time working with a RADIUS server connection).
Next, I attempted to setup the policy for it. Under Policy & Objects -> IPv4 Policy, the engineer already had an "OutboundTraffic" policy setup for all of our internet bound traffic and the default web filter applied to it. Again, using his policy as a template (and some online material I had found), I duplicated his setup in a new policy I called "Outbound Web Filter - Restricted", with the only changes being to add the "BBWebFilter-Restricted" user group into the Sources field, and set the web filter option to use the "Restricted Web Access" web filter I had created.
It doesn't seem to work. The default web filter policy is still being applied to my user account. When I created the new policy, I noticed that it listed it after the original policy and that it would let me reorder them, so on the assumption that order matters, I also dragged my new policy to be above the old. Still doesn't work.
Obviously I've done something wrong, but I don't have any idea what, and the material I can find online has setting up the AD server connection differently (either via Direct Poll or FSSO). I don't know if that matters? I mean, the VPN part seems to work just fine with the RADIUS server connection. If you're in the VPN Users AD group, you can connect. If you're not, you can't. (Though, as I'm getting ready to post this and just double checking through everything, I'm now seeing that he not only has a user group of VPN Users on the firewall, but he also created a user (non-group) VPN Users on the firewall??? So now I'm not so sure....)
If there's someone who has the patience to work through this with me, or if someone knows of a more detailed doc that's closer to the situation I'm dealing with, it would be appreciated.
I took some screenshots, but as this site is limiting me to 1 attachment max of 200 K, I've uploaded them to imgur.
[link]https://imgur.com/a/CQEftL0[/link]
Thank you.
Labels:
- Labels:
-
6.0
0 REPLIES 0
Related Posts
- Automatically Ban Malicious Inbound IPs using... 102 Views
- Moving away from Software Switches -... 154 Views
- SSH Session Time Out 95 Views
- Connect Fortigate to internet with 2... 203 Views
- Problem with FSSO removing users from... 227 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.