Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rzahraoui
New Contributor

Web Filtrer issue

Hi All,

 

I hava a FGT 100D with the last version 5.2.2, and trying to implement Web filter profiles using Proxy Mode.

 

Could you tell me if i can apply two or more Web filter profiles to a given Group (FSSO groups on my case).

My issue is that when i use Policies to do this, only the rule on the top will be applied and the seconde one will be ignored (example in attachment) - this is just an example to illustrate the issue.

 

The ideal would be to combine FSSO groups with Web Filtring Profiles without passing by Firewall rules/policies, is this possible?

 

Many Thanks for your help.

 

 

 

1 Solution
iJake
Contributor

You can't us multiple profiles for the same group. Your best bet would be to apply a policy to the more specific groups and put them above the more general group policies. So if you have a user in two groups, use the second group to make a policy and put it above the primary groups policy.

 

Alternatively, you can use LDAP w/ FSSO and populate your FSSO groups with specific users, and apply policy to them that way.

 

But to clarify, you can't have group A filtered by 1 policy, then filter it again with another policy.

......

-Jake

View solution in original post

...... -Jake
4 REPLIES 4
iJake
Contributor

The first rule to match the traffic will be enforced on that traffic. It will not continue down the list. So you can't apply a policy to traffic if a policy has already been applied. If you want to change the users that are hit by that rule, you will need to break down the FSSO groups or if certain users are on certain subnets, you can use both IP Address objects and FSSO groups to match your traffic.

 

If you implement LDAP with FSSO and set your collector agent to advance mode, you can put specific users in an FSSO group, which might also solve your problem.

 

That being said, if you want all users within a group to have the same policy, then there's no need to have two web filtering policies for that one group.

......

-Jake

...... -Jake
rzahraoui
New Contributor

Hi,

 

Thanks for your reply,

To answer to your last remark, i will (in my case) have some users member of multiple groups, so i should affect this kind of "mutualised" user to multiple web filter profiles. So like you said, if a user will be matched by a firewall rule, only the Webfiltrig profil associated to the rule will be applied. And this is the issue.

 

That's why i asked if we can associate multiple web filter profliles to a FSSO group, or otherwise, When we implement a web filter profile, the action will just authorize what we introduce as URL without a block all at end (because actually, without it, all the web traffic will pass)

 

 

iJake
Contributor

You can't us multiple profiles for the same group. Your best bet would be to apply a policy to the more specific groups and put them above the more general group policies. So if you have a user in two groups, use the second group to make a policy and put it above the primary groups policy.

 

Alternatively, you can use LDAP w/ FSSO and populate your FSSO groups with specific users, and apply policy to them that way.

 

But to clarify, you can't have group A filtered by 1 policy, then filter it again with another policy.

......

-Jake

...... -Jake
lunhas2k4
New Contributor II

Hi Rzahraoui,

 

Did you follow ijakes lead. Where you able to get it working? He is right that is the only way to get what you want done working.

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
Top Kudoed Authors