Hello,
I'd like to ask your advice. I am building policies for my FortiGate and I am creating policies for URL categorization on AD groups (students at school
I want to ask what approach you prefer and what impact it will have on the firewall performance.
1. Disallowing blocked categories (**bleep**, spam, etc) and then only allowing all HTTP and HTTPS
2. Setting allowed categories on given user groups.
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@Kubajs
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.
Hi @Kubajs,
Web filter allows/denies traffic based on categories. You can create different web filter profiles for different user groups.
Regards,
Hello @hbac ,
I know that, I just want to know, what is better for FortiGate performance.
Or does it not matter?
Thanks
@Kubajs
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.
Thank you very much. That's what I wanted to know :)
Hello @xshkurti ,
may I ask you what is better for allowing http and https?
Do you recommend rather to select services in rule or create a profile in application control where I enable only http and https?
Thanks
@Kubajs
It deppends on what level are you going to filter traffic.
If you use service rule, you will scan up to Layer 4 in OSI model.
If you use application control you will scan up to Layer 7, which means that you can also decrypt traffic and check what is going on inside encrypted https traffic.
Please note that if you enable application control profile, you should also use certificate inspection.
So basically with service inspection, you are using standard firewall rules, while with application control profile, you are using NGFW features.
In my case, I would say to use both. Service in firewall policy destination field, and enable application control security profile.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.