Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SebastiaanR
New Contributor

Whitelisting on IP Address

Hi Community

 

I'm hoping someone can point me in the right direction on how to add an IP address to a whitelist.

I have a FortiGate VM64 v6.2.3 build1066 (GA) appliance deployed in Azure. This is my first ever FG deployment, and I have to note two things:

 

1. The overall configuration and setup is really straight forward and intuitive. I was pleasantly surprised.

 

2. (and this is where I need some help) I'm getting an error when I access an internal web app using the IP and on an obscure port, with the error that the page has been blocked because it's in violation of my internet access policy. Great, it works, BUT I do need to access this.

 

The application is access by IP, in this case the public IP of the appliance in Azure. I had a look everywhere in the console if there is a way to add that external IP to a whitelist to not be managed by the FortiGuard, but all I am able to add are domains/domain names. In short, I need to whitelist the public IP assigned to the Azure appliance on various ports.

 

As a work-around to ensure operation, I've configured the web filter in monitoring mode, but this is obviously not ideal.

 

I've attached a SS of the error for what its worth.

 

TIA

4 REPLIES 4
lobstercreed
Valued Contributor

I will say that I don't *think* this is possible (I've never had need to try). If I'm correct, there is an easy workaround...

 

Create an additional rule above the rule you're hitting that only matches this traffic with simply no web filter profile attached to it.

Toshi_Esumi

I also recommend a new policy allowing the address and the port(s) specified, then place is above the current blocking policy like lobstercreed suggested. You might call it "whitelist". Generally terms "whitelist/blacklist" are used in the context of webfiltering only though.

But the error you're seeing is because your webfiltering profile has category filtering enabled, and in the filtering, "Unrated" category is blocked. You might be using a default profile like "g-default". Those pre-defined ones almost never work in case if you really want to use webfiltering feature. I would suggest create a new one and set it as you need and allow "Unrated" like http://(IP_Address)/... not to be blocked.

sw2090
SuperUser
SuperUser

there is several ways:

 

- create a rating override to a cathegory allowed in your filter profile

- create a url filter exempt entry the allow this url

- basicall allow unrated urls in you filter profile (not recommended of course)

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
SebastiaanR
New Contributor

Thanks for all the suggestions, I'll be tinkering away and get it sorted.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors