I need some clarification on the best way to do this. Our company has a policy that servers do not get Internet access, except to a list of permitted websites. This works well when the Destination object is an FQDN with a couple of IP addresses behind it, but it falls down when the destination is hosted in a cloud like AWS. I believe the FortiGate fails to get the full list of IPs that could be behind a given FQDN and traffic is randomly dropped at times.
We opened a ticket with support in the past and the recommend solution was to use a Web Filters instead, but this opens an entirely new set of issues. If I have a web filter with everything set to deny, except for a list of allowed URLS, processing of firewall policies stop at the policy with the web filter defined, and the server gets the Blocked by Fortigate Screen. What I would like is for the firewall to treat that policy as a no match and continue down the list of policies.
I'd prefer not to have one massive web filter for every external website. I'd like it to be granular and have one policy with a web filter to allow access to AV Updates, another policy with web filter for access to the SIEM, etc.
What is the best way to achieve this?