Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Web proxy

Dear All,


Anyone can tell me if possible to block certain website for a group of users in a department and allow full access for the rest of person. we are using a proxy configure on the firewall and i want to block certain users to access certain website while allow other users to access same website.


Is it possible with web proxy if yes how we can achieve it



New Contributor III



Yup. we can do it. Create a address group for minimum access and create a policy as well as web proxy and do same for full access user.




New Contributor


Thank you for your reply, just to clear it all users will use the same proxy ip address to get internet access but you mention to user address group for a pool of users ip which need to block access how it will work if am not wrong it will still use the same proxy ip address to go to internet write here.



Honored Contributor

It would help if you provided more details on your network layout, including firmware version on the fgt, and how the proxy is implemented.  There are 3 primary firmwares in use (4.3.x, 5.0.x, and 5.2.x) with similar or different ways to implement the same or similar feature on the fgt.


If you are using the web proxy features on the Fortigate then I'm pretty sure the various UTM features (web filter profile/URL filter, etc.) are applied to the individual IP addresses (e.g. devices/users) either before or after that traffic enters/leaves the proxy. 


If you are not using user/device policies on the fgt, then one "classical' way to implement your request is to assign static IPs (either via DHCP reservation or direct static settings) to the devices in the department, then on the fgt, create firewall address objects for those IPs and group them.  Create a firewall policy using that group as the source and set whatever UTM features you want, move this firewall policy up in the firewall rules list above any general firewall policy so it is executed. If we are talking like over 20-30 computers you may be better off using either user/device policies or assigning static IPs in a single block range (then you can use that IP block range as the source in your firewall policy).


The Fortigate cookbook on the Fortinet Document Library site already has examples of implementing the above.


Edit: Note I am assuming internal LAN traffic is hitting the fgt directlt and not going through a proxy device first.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
New Contributor

Dear dave,


Thank you for your reply.  The proxy are configured on the FGT itself mean FGT doing the proxy only for all my remote sites and my local lan are not using proxy configured all identity based policy and ip base policy. The config as follow the port connected to the remote sites router from FGT to router and FGT interface configured as proxy and all the remote sites are using this interface ip address as proxy to allow internet. my mission to block certain users to get access to specific sites and allow some for full access. Hope you understand me 


awaiting your reply,

New Contributor

FGT Firmware version 5.2.2


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors