- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL categories rules
Hello,
I'd like to ask your advice. I am building policies for my FortiGate and I am creating policies for URL categorization on AD groups (students at school
I want to ask what approach you prefer and what impact it will have on the firewall performance.
1. Disallowing blocked categories (**bleep**, spam, etc) and then only allowing all HTTP and HTTPS
2. Setting allowed categories on given user groups.
Thank you.
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Kubajs
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Kubajs,
Web filter allows/denies traffic based on categories. You can create different web filter profiles for different user groups.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @hbac ,
I know that, I just want to know, what is better for FortiGate performance.
Or does it not matter?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Kubajs
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. That's what I wanted to know :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @xshkurti ,
may I ask you what is better for allowing http and https?
Do you recommend rather to select services in rule or create a profile in application control where I enable only http and https?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Kubajs
It deppends on what level are you going to filter traffic.
If you use service rule, you will scan up to Layer 4 in OSI model.
If you use application control you will scan up to Layer 7, which means that you can also decrypt traffic and check what is going on inside encrypted https traffic.
Please note that if you enable application control profile, you should also use certificate inspection.
So basically with service inspection, you are using standard firewall rules, while with application control profile, you are using NGFW features.
In my case, I would say to use both. Service in firewall policy destination field, and enable application control security profile.
Thanks.