Web Rating overrides not working as expected with proxy address with URL category.

Nickesh_k · ‎03-27-2023

Hi all,

I have configured SSO with the DC . DC maintains the multiple groups with multiple users for different access to the internet depending on the category such social media, web-based mail and etc. The web-filter profile were out of the option as it match the first policy and denies all the category for the users that are in other group.

The proxy addresses with the URL category in destination parameter helped us to provide access to allow traffic and match all the policy configured.

While configuring proxy address with the URL category we had to override certain websites to different category. The web rating override is configured and site is mapped to different category. In the screen shot you can find the site from the Finance and Banking Category is overridden to Brokerage and Trading Category.

There is a different policy with specific group user that is allowed to access Brokerage and Trading and the Domain user group is not suppose to access the overridden site but the traffic is accepted by the default FortiGuard Category. The placement of policy doesn't have any effect on top-to-bottom approach.

But the policy with the original FortiGuard category can still access the overridden category in FortiProxy.
Even with the FortiGate configured with explicit proxy can still access site.

Please feel free to post your finding and suggestion to work around with the scenario.

Thank you

FortiProxy

Proxy address Group with URL Category.

Proxy address

Policy configured with Proxy address group.

Web-rating Override

Web-rating Override

Logs

Cheers,
Nikesh

gfleming · ‎04-03-2023

In your scenario here is how I would do it. I would have three distinct firewall policies for each user class. Each firewall policy would have its own disctinct Web Filter profile.

Policy 1 — User A

allow to/from LAN/WAN

allow from User A

allow to all

web filter: User_Group_A-WebFilter

Policy 2 — User B

allow to/from LAN/WAN

allow from User B

allow to all

web filter: User_Group_B-WebFilter

Policy 3 — User C

allow to/from LAN/WAN

allow from User C

allow to all

web filter: User_Group_C-WebFilter

Now all you have to do is define the web filter profile so that users get the appropriate content that they are allowed to access. So,

UserA-WebFilter:

- Brokerage and Trading

- Finance and Banking

UserB-WebFilter:

- Brokerage and Trading

- Web-Based Email

UserC-WebFilter:

- Web-Based Email

- Finance and Banking

Of course in the above scenario it is assumed you've already configured your "Brokerage and Trading" category and done your overrides. In this configuration all users will have access to the overriden category and there will be no access to the overridden sites while using the original category.

Cheers,
Graham

Nickesh_k · ‎04-05-2023

I don't think this is practical for enterprises that has large user numbers. Where a network administrator has to maintain policies depending on the number of users.

Cheers,
Nikesh

gfleming · ‎04-05-2023

Sorry if it wasn't clear I am not talking about making policies/profiles for each user but for each user class as I mentioned in the previous response. Those policies would be defined with user groups from AD/LDAP integration.

Cheers,
Graham