Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jokes54321
New Contributor III

Website Allow Lists

I need some clarification on the best way to do this. Our company has a policy that servers do not get Internet access, except to a list of permitted websites. This works well when the Destination object is an FQDN with a couple of IP addresses behind it, but it falls down when the destination is hosted in a cloud like AWS. I believe the FortiGate fails to get the full list of IPs that could be behind a given FQDN and traffic is randomly dropped at times. 

 

We opened a ticket with support in the past and the recommend solution was to use a Web Filters instead, but this opens an entirely new set of issues. If I have a web filter with everything set to deny, except for a list of allowed URLS, processing of firewall policies stop at the policy with the web filter defined, and the server gets the Blocked by Fortigate Screen. What I would like is for the firewall to treat that policy as a no match and continue down the list of policies.

 

I'd prefer not to have one massive web filter for every external website. I'd like it to be granular and have one policy with a web filter to allow access to AV Updates, another policy with web filter for access to the SIEM, etc. 

 

What is the best way to achieve this?

2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hi @jokes54321 

not completely sure what update servers are on your list, if some well known like Apple's / Microsoft's update services or some very custom ones.

But you might give it a shot and read a bit about Internet Services database and how to use such objects in policies.

More on that subject on : https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/849970/internet-services

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

jokes54321

Hi Tom,

 

I appreciate the response.  I tested policies using the Internet Services as a destination and the success with them has been hit or miss. A good example would be Rapid7. We're in process of deploying it now and I was happy to see an Internet Service for them, however the agents failed to install with this policy in place. It took setting up a packet capture and analyzing the DNS queries, then subsequent requests, to find the resource that couldn't be reached. 

 

I'll research them in more depth as I do see them as a great benefit. Does anyone know if Fortinet has a portal that requests can be submitted to for ISDB updates? In the Rapid7 example above, I believe they need to add amazontrust.com so the agent install succeeds. 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors