Hi,
should static entries have a higher priority than FortiGuard category based filter for both Block and Allow action?
I ask because I blocked Bandwidth Consuming category and then added a static URL rule *youtube.com with Allow action, but the youtube is still blocked.
The opposite works well: When Bandwidth Consuming is allowed and I add static *youtube.com with Block action, then only youtube is blocked and other sites like vimeo.com are not blocked.
FGT60B, FGT100A, FGT100D
Qeustions:
Do you have two policies for the category and static URL?
Did you run diag debug flow to ensure your hitting the policyid that your expecting
Is SSL inspection enabled?
PCNSE
NSE
StrongSwan
Hi emnoc,
For testing I created Web Filter profile, then policy with that profile. I placed this policy on top of other policies.
I can see in log it uses that policy:
Yes, the policy uses deep-inspection. It works the same way when I change to certificate-inspection. If in that Web Filter profile I change category to "allow" and edit static URL entry "*youtube.com" and change its action to "block", then it work as I expect: it blocks only youtube, not e.g. vimeo.
FGT60B, FGT100A, FGT100D
So what did the diag debug flow output show you?
PCNSE
NSE
StrongSwan
I know old thread - but in Google on URL static filter it came first, so worth having this answered.
Static URL filter has precedence over Category web filtering only in Block action. In Allow action the URL will still be handed over to the further checks including Category check. The only way to force 'allow' action via URL static filter is to use "Exempt" action which does prevent URL from being checked for category, BUT ... it also exempts this url from any other checks like AV/IPS so use with care.
This is relevant for any FortiOS version and no signs of change.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.