Thanks for the reply. That makes sense but I guess I am still not clear on how not to include a category so another rule can process it. It is my understanding that the way you can setup profiles you have the options to Allow, block, monitor, warning, authenticate. Say I have a restrictive rule at the bottom that blocks everything. I then have a rule above it that allows basic access to domain users. Then I have a rule at the top that allows streaming media. Below that I have a rule that allows shopping. I want to have a user that is allowed to stream media but not shop and vice versa a user that I want to allow to shop but not stream media. I don' t see how I can exclude categories when setting up a profile. So for example the rule that only allows the additional access of streaming media what would I set the level to for all other categories. I am guessing the permissive results cumulative? So if the user is a member of streaming media and all else is blocked that users is tagged for streaming media, it hits another rule that allows shopping but has all else blocked then they are tagged to allow both streaming and shopping? So to verify is it the most permissive rule that is applied correct?

Hello, You need to understand first how the firewall match a rule. 1. Source IP 2. Destination IP (OR specific FQN like www.fortinet.com, NOT domain name) 3. Destination port 4. Optional : Group Membership. Once a match occurs, session is created and the traffic flow always use that rule (so WF Profile, Application control profile, etc applied to that rule). In your case, you wants to match an URL filter (like shopping) ! It' s not possible because the destination URL category cannot be defined in step two. " I don' t see how I can exclude categories when setting up a profile" Not possible ! " I am guessing the permissive results cumulative?" false. First match in the policy apply I' m also working with Palo Alto and they support such kind of config... Regards, HA

Thanks again for your reply. I have also verified with support that only singular group membership is supported. I have to say this is very disappointing. I would have expected more from a " Next Generation" Firewall. We will have to rethink the way we wish to deploy. Palo Alto was my first choice but corporate had already invested in Foritgates which are working well. We just hadn' t used them as a web proxy.

OK I am still learning this platform. What about within the web filter profile, instead of choosing allow, block or monitor you choose authenticate? Then set that to a group that the user would be in? Seem that this would accomplish what I am looking to do. I think I just need to open a ticket and talk to one of their engineers:)

You set up groups on AD to send to the Fortigate... All users should fall into one of those groups. On the Fortigate you create multiple webfilter profile.... One webfilter profile would have just shopping, another just streaming and another would have both (for example) Then in the firewall policy (identiy based) you assign those profile to the different user groups.

Yes... open a ticket would be best to get everything sorted out

Hello, Bromont, it means that for every URL Categrory, you need to create an AD groups, put each AD users into, and create ID rules. What a management nightmare ?? Regards, HA