I'm configuring two fortigates 800c in HA mode for 500 - 700 simultaneously users.
I would like to know which is better in case of CPU and memory usage:
1 . Four or five generic rules with their specific web filter (as advanced, basic, etc connections).
2 . Separate the rules in department mode (almost twenty departments) with two rules (advanced and basic connections) and with their specific web filters (almost 40).
I would like to do this with apps rules too.
My primary goal is departmental rules. But I'm afraid to slow down the fortigates.
I'm using FortiOS 5.2.1
And of course, sorry by my English mistakes ;), but I don't like to use translators.
I would choose 1 if this was either a small company or a company wanting a standardized web browsing/filter policy "across the board".
Choosing 2 may pose it's own problems as the 800C will be subject to the hard-coded max configuration values (e.g. max firewall objects/Web Filter/Profile/URL filters, etc.) placed on it. Keep the Maximum Values Table for the 800C in mind when you design/code the configuration. For example, while you can have a max 20000 Web Filter profiles, you are limited to a total 32 URL filter lists.
Personally, I am betting if you do create 20-something web filter profiles/URL filter lists (one per department), by the large most of them will be duplicate/identical policies. In this regard choose 2 for departmental rules, but 1 for the actual web filter profile/URL filter lists..may be the best of both worlds.
Actually i'm using the way you said. Lot's of rules, but only a few Web Filters.
I have many problems with address in FQDN mode. So a lot of times I have to use IP addresses to bypass some filters. But IPs changes, and lot's of websites have lot's of IP's.
This is the reason I would like to use Web Filters, because it's easier to do those "bypasses" by URL Filter extempts in WF.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.