Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kubajs
New Contributor III

URL categories rules

Hello,
I'd like to ask your advice. I am building policies for my FortiGate and I am creating policies for URL categorization on AD groups (students at school
I want to ask what approach you prefer and what impact it will have on the firewall performance.
1. Disallowing blocked categories (**bleep**, spam, etc) and then only allowing all HTTP and HTTPS
2. Setting allowed categories on given user groups.

 

Thank you.

1 Solution
xshkurti
Staff
Staff

@Kubajs 
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.

View solution in original post

6 REPLIES 6
hbac
Staff
Staff

Hi @Kubajs,

 

Web filter allows/denies traffic based on categories. You can create different web filter profiles for different user groups. 

 

Regards, 

Kubajs
New Contributor III

Hello @hbac ,

 

I know that, I just want to know, what is better for FortiGate performance.

Or does it not matter?

 

Thanks

xshkurti
Staff
Staff

@Kubajs 
It doesn't matter. It will not affect performance.
In your case you should consider:
1. Allow http https
2. Allow categories based on AD user groups
3. Block everything else.

Kubajs
New Contributor III

Thank you very much. That's what I wanted to know :)

Kubajs
New Contributor III

Hello @xshkurti ,

may I ask you what is better for allowing http and https?

Do you recommend rather to select services in rule or create a profile in application control where I enable only http and https?

Thanks

xshkurti

@Kubajs 
It deppends on what level are you going to filter traffic.

If you use service rule, you will scan up to Layer 4 in OSI model.

If you use application control you will scan up to Layer 7, which means that you can also decrypt traffic and check what is going on inside encrypted https traffic.

Please note that if you enable application control profile, you should also use certificate inspection.

 

So basically with service inspection, you are using standard firewall rules, while with application control profile, you are using NGFW features.

In my case, I would say to use both. Service in firewall policy destination field, and enable application control security profile.

 

Thanks.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors