Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WTony
New Contributor

Webfilter setup problems with multiple groups barracuda migration.

 

Hi, 

I am in the process of migrating a Barracuda webfilter to a Fortigate 100E v6.0.9 build8661

 

Both sync with active directory giving us access to users and groups.

 

The barracuda has the usual categories and filter options.

Alongside the usual filter categories - in the Barracuda we have a series of custom categories:

"Allowed sites" - generally allowed sites.

"Blocked sites" - Sites that are blocked

"YouTube" - URLs that relate to youtube (but not all streaming media) 

"OnlineBanking" - Banking websites.

"Marketing media" - Various social media and marketing related sites that would otherwise be blocked.

"Factory" - A few sites that are required factory shop floor (they are usually fully blocked from ANY internet access).

 

The Barracuda has a rule list that processes the rules top to bottom.

 

In the FortiGate I have created the Webfilter profiles for the above using URL filters ONLY. (turned off categories) 

 

Then In the IPv4 policy I have created rules for each policy with: (There are more but for example...)

 

everyone allowed for "Allowed sites"

gYoutube (AD group) allowed for "YouTube" 

gOnlineBanking (AD Group) allowed for "OnlineBanking"

gMarketingMedia (AD group) allowed for "Marketing media"

everyone blocked for "blocked sites"

 

The IPv4 policy rules do not work in the same way as the Barracuda? The FIRST rule that applies to the user stops the processing.

 

This is ok if users are only members of ONE ad group. but we have for example a marketing manager who is a member of gMarketing AND gOnlineBanking. Depending on the order of the rules the other rule will not trigger!

 

How can I re-create this rule base on a our new FortiGate firewall webfilter? 

(We have many more rules that work in a similar fashion to the above - If migrating our rules like-for-like is not possible what is the correct process for creating a similar filtering system using FortiGate?)

 

 

I appriciate any advice and feedback.

 

Best regards,

Tony 

 

 

 

 

 

 

0 REPLIES 0