Purpose
This article presents some configuration examples for FortiGuard Web Filtering Override based on different scenarios, as well as some Error Messages explanations.
There are 3 examples at User Group level , 2 examples using Administrator rules, and 1 example combining both .
Reminder about how to setup FortiGuard Override :
FortiGuard Override can be configured with 2 methods : At User Group level, or with Administrative Overrides level , depending on the requirements.
Note 1 :
The Administrative override rules are backed up with the main configuration and managed by the FortiManager system. The Administrative override rules are not removed when they expire and can be re-used with new expiry dates.
Administrative override rules can be created from both the CLI and the web-based manager.
Note 2 :
To monitor active overrides rules defined at User Group level, go to UTM --> Web Filter --> Override --> User Overrides
Note 3 :
It is pre-requested that FortiGuard Web filtering is enabled globally, and the FortiGate has a valid contract for this service :
Note 4 :
In the following configuration examples, only the main parameters are described. For all other options please consult the on-line help available from the Web based Manager (GUI) .
All scenario and configuration are given here as example to illustrate override possibilities. ; other variations may exist for each scenario.
For further information about that subject, please consult our documentation at http://docs.forticare.com/fgt.html
See also related articles at the end of this page.
Scope
All Fortigate in NAT or Transparent Mode
Diagram
A simple setup will be used for this example :
User1 10.160.0.10 == ] == LAN == [ FortiGate ] == Internet
User2 10.160.0.20 ===]
User3 10.160.0.30 ===]
Expectations, Requirements
Here after are some scenarios based on what the network administrator would like to achieve .
Configurations presented are made in FortiOS v4.0, but the same principle also applies to v3.0
Test list
User Group configuration
Administrative rule configuration
Combined settings
Configuration
- This must NOT be based on Firewall (or identity based) authentication, but only Fortiguard override authentication
A- Enable the necessary options in the desired protection profile as shown below ; note that LOG is optional but recommended for troubleshooting purpose for example.
B - Allow override for the desired User Group - Selecting IP in the override scope will allow this user group to access the he Category(ies) "Business Oriented" without authentication. Override Type = Category will allow users to access all Web sites in the same Category.
C- Select the appropriate protection profile in the appropriate Firewall Policy
Once authenticated, the override session can be monitored from UTM --> Web Filter --> Override --> User Overrides
- Block access to ALL Web Categories for ALL users except for Category "Business Oriented"
- This Must be based on a user authentication at Firewall and override level
A- Enable the necessary options in the desired protection profile
B - Allow override for the desired User Group - Selecting User Group in the override scope will allow users in this group to access the Category "Business Oriented", and will requiree to enable Authentication on the Firewall Policy (see step C ) :
C- Check "Enable Identity Based Policy" with appropriate protection profile in the desired Firewall Policy :
A - Accessing any site, the Firewall Authentication page will appear first :
B- Once authenticated, if the Web site belong to an override Category, users will get the Override option.
....and after the Override Authentication page
C- Once authenticated, if the Web page was not allowed users will not get the Override option.
- This Must be based on authentication
- Use Local Category and Local Rating
A - We will use here a new Local Categories and Local Rating in which we will put "www.fortinet.com" and "kb.fortinet.com"
B- In the desired protection profile, enable the FortiGuard Options including "Allow Override" for the new Local Category :
C- Allow override for the desired User Group - Selecting IP in the override scope will allow this user group to access the Category "Allowed Sites" after the Fortiguard override authentication.
D- Enable the appropriate protection profile in the appropriate Firewall Policy :
- Allow only user2 to access to "www.fortinet.com"
- Rule must be only valid until November 10th 2009
A - We will use here a new Local Categories and Local Rating in which we will put "www.fortinet.com" and "kb.fortinet.com"
B- In the desired protection profile, enable the FortiGuard Options including "Allow Override" for the new Local Category :
C- Create an Administrative Override Rule : UTM--> Web Filter --> Override --> Admin Rule --> Create New , and enter all necessary information :
Troubleshooting
The Fortigate will log the Web access with the following log examples (From the GUI : Log&Report --> Log Access --> Select "Web Filter Log"
or
Some FortiGuard Error Web pages
Web Filtering Block Override :
"Only user based overrides are allowed and you do not appear to be authenticated with the system. Please contact your administrator"
Root Cause : At User Group level, you have selected Override Scope = User or User Group but not enabled Authentication on the Firewall Policy
Web Filtering Block Override :
There are no user-groups with permissions to create overrides for this protection profile.
Root Cause :
- There is an Administrator rule with Scope = User or User Group but not enabled Authentication on the Firewall Policy
- The username in the User Group does not correspond to the one defined in the Administrator rule
- The IP address of the source device or the Protection Profile in the matching Firewall Policy do not correspond to the one defined in the Administrator rule
This article presents some configuration examples for FortiGuard Web Filtering Override based on different scenarios, as well as some Error Messages explanations.
There are 3 examples at User Group level , 2 examples using Administrator rules, and 1 example combining both .
Reminder about how to setup FortiGuard Override :
FortiGuard Override can be configured with 2 methods : At User Group level, or with Administrative Overrides level , depending on the requirements.
- at User Group level, the override configuration settings are always valid in the time. In this mode, user authentication will always happen, either by Firewall authentication, either by Fortiguard override authentication, either by both.
- with Administrative Overrides rule, you can give a validity period for each rule. This Override type definitions allows more granularity than at User Group level. When based on authentication, only 1 authentication page will be prompted.
Note 1 :
The Administrative override rules are backed up with the main configuration and managed by the FortiManager system. The Administrative override rules are not removed when they expire and can be re-used with new expiry dates.
Administrative override rules can be created from both the CLI and the web-based manager.
Note 2 :
To monitor active overrides rules defined at User Group level, go to UTM --> Web Filter --> Override --> User Overrides
Note 3 :
It is pre-requested that FortiGuard Web filtering is enabled globally, and the FortiGate has a valid contract for this service :
Note 4 :
In the following configuration examples, only the main parameters are described. For all other options please consult the on-line help available from the Web based Manager (GUI) .
All scenario and configuration are given here as example to illustrate override possibilities. ; other variations may exist for each scenario.
For further information about that subject, please consult our documentation at http://docs.forticare.com/fgt.html
See also related articles at the end of this page.
Scope
All Fortigate in NAT or Transparent Mode
Diagram
A simple setup will be used for this example :
User1 10.160.0.10 == ] == LAN == [ FortiGate ] == Internet
User2 10.160.0.20 ===]
User3 10.160.0.30 ===]
Expectations, Requirements
Here after are some scenarios based on what the network administrator would like to achieve .
Configurations presented are made in FortiOS v4.0, but the same principle also applies to v3.0
Test list
User Group configuration
| Scenario 1 : - Block access to ALL Web Categories for ALL users except for Category "Business Oriented" - This must not be based on Firewall (or identity based) authentication, but only Fortiguard override authentication Scenario 2 : - Block access to ALL Web Categories for ALL users except for Category "Business Oriented" - This must be based on a user authentication at Firewall and Fortiguard override level Scenario 3 : - Block access to ALL Web Categories for ALL users and allow only 2 Web sites : "www.fortinet.com" and "kb.fortinet.com" - This must be based on Fortiguard override authentication - Use Local Category and Local Rating |
Administrative rule configuration
| Scenario 4 : - Block access to ALL Web Categories for ALL users - Allow only user2 to access to "www.fortinet.com" - Rule must be only valid until November 10th 2009 Scenario 5 : - Block access to ALL Web Categories for ALL users - Allow only the IP address 10.160.0.10 to access all categories - Rule must be only valid until November 10th 2009 |
Combined settings
Scenario 6 : - Block access to ALL Web Categories for ALL users - Allow the users that will use a particular protection profile called "fguard-scenario6_a" to access, without Firewall authentication, the categories "Potentially Liable" and "Controversial", as well as "www.fortinet.com" , - This will include User1; rule valid only until August 15th 2010 - Allow User2 to access (only) the full Category "Business Oriented" with Firewall authentication ; rule valid only until August 15th 2010 - Allow user group of User3 to access all categories with Firewall authentication ; the rule must always be valid |
Configuration
Scenario 1
- Block access to ALL Web Categories for ALL users except for Category "Business Oriented"- This must NOT be based on Firewall (or identity based) authentication, but only Fortiguard override authentication
1.1 Configuration
A- Enable the necessary options in the desired protection profile as shown below ; note that LOG is optional but recommended for troubleshooting purpose for example.
B - Allow override for the desired User Group - Selecting IP in the override scope will allow this user group to access the he Category(ies) "Business Oriented" without authentication. Override Type = Category will allow users to access all Web sites in the same Category.
C- Select the appropriate protection profile in the appropriate Firewall Policy
1.2.1 Test and verification
1.2.1 Access a site that does not belong the category "Business Oriented" , users will get this page :
 |
1.2.2 Access a site that belongs the category "Business Oriented" , users will get the Fortiguard override authentication page :
Note the IP address and Category appearing on the screen :Once authenticated, the override session can be monitored from UTM --> Web Filter --> Override --> User Overrides
Scenario 2
- Block access to ALL Web Categories for ALL users except for Category "Business Oriented"
- This Must be based on a user authentication at Firewall and override level
2.1 Configuration
A- Enable the necessary options in the desired protection profile
B - Allow override for the desired User Group - Selecting User Group in the override scope will allow users in this group to access the Category "Business Oriented", and will requiree to enable Authentication on the Firewall Policy (see step C ) :
C- Check "Enable Identity Based Policy" with appropriate protection profile in the desired Firewall Policy :
2.2 Test and verification
A - Accessing any site, the Firewall Authentication page will appear first :
B- Once authenticated, if the Web site belong to an override Category, users will get the Override option.
 |
 |
C- Once authenticated, if the Web page was not allowed users will not get the Override option.
 |
Scenario 3
- Block access to ALL Web Categories for ALL users and allow only 2 Web sites : "www.fortinet.com" and "kb.fortinet.com"- This Must be based on authentication
- Use Local Category and Local Rating
3.1 Configuration
A - We will use here a new Local Categories and Local Rating in which we will put "www.fortinet.com" and "kb.fortinet.com"
B- In the desired protection profile, enable the FortiGuard Options including "Allow Override" for the new Local Category :
C- Allow override for the desired User Group - Selecting IP in the override scope will allow this user group to access the Category "Allowed Sites" after the Fortiguard override authentication.
D- Enable the appropriate protection profile in the appropriate Firewall Policy :
3.2 Verification : when accessing a Web site that has not been defined in thew Local Category, the following page will appear to the users :
 |
Scenario 4
- Block access to ALL Web Categories for ALL users- Allow only user2 to access to "www.fortinet.com"
- Rule must be only valid until November 10th 2009
4.1 Configuration
A - We will use here a new Local Categories and Local Rating in which we will put "www.fortinet.com" and "kb.fortinet.com"
B- In the desired protection profile, enable the FortiGuard Options including "Allow Override" for the new Local Category :
C- Create an Administrative Override Rule : UTM--> Web Filter --> Override --> Admin Rule --> Create New , and enter all necessary information :
D- Check at User Group Level if user2 is defined in a User Group ; note that there is NO need to check “Allow to create Fortiguard Web Filtering overrides”
E- Apply the protection to the appropriate Firewall Policy with Authentication (identity based) enabled :
A - Accessing any site, the Firewall Authentication page will appear first ; assume you log in with user1 (instead of user2) :
B- Once authenticated, if the Web site belong to an override Category, users will get the Override option :
C- If user logged in is not the one defined in the Administrative Rule, the following message will appear :
D- Otherwise, access will be granted to the initial Web page without any further authentication
Scenario 5
- Block access to ALL Web Categories for ALL users
- Allow only the IP address 10.160.0.10 to access all categories
- Rule must be only valid until November 10th 2009
A- As no authentication is involved in this example, no action is required at User Group setting level
B- Enable the necessary options in the desired protection profile ; in this case allow Override for all Categories :
C- Create an Administrative Override Rule : UTM--> Web Filter --> Override --> Admin Rule --> Create New , and enter all necessary information as per below :
D- Enable the appropriate Protection Profile in the Firewall Policy :
A - Accessing any site from 10.160.0.20 (instead of 10.160.0.10) , the following page will appear :
B- If the user click on Override, because the source IP is not the one defined in the Administrative rule, the following page will appear :
C- Otherwise, if the source IP is 10.160.0.10, access will be granted to the initial Web page directly
Scenario 6
- Block access to ALL Web Categories for ALL users
- Allow the users that will use a particular protection profile called "fguard-scenario6_a" to access, without Firewall authentication, the categories "Potentially Liable" and "Controversial", as well as "www.fortinet.com" , - This will include User1; rule valid only until August 15th 2010
- Allow User2 to access (only) the full Category "Business Oriented" with Firewall authentication ; rule valid only until August 15th 2010
- Allow user group of User3 to access all categories with Firewall authentication ; rule always valid
Note 1 : there would be multiple variants to achieve this goal, in this example we will use 2 Firewall Policies to distinguish User1, User2 and User3.
6.1 Configuration
We will need 2 protection profiles in order to distinguish the different override rules.
fguard-scenario6_a is used for User1 in particular, and fguard-scenario6_b will be used for the other users. They will however both look the same :
B - Because the rule for the group of User3 must always be valid, we will create separate groups and use FortiGuard Override for User3 at User Group level :
C - Distinguish the traffic for user1, user2 and user3 in at least 2 Firewall Policies :
Note the use of Authentication for User2 and User3, and the 2 different Protection Profiles :
E- Apply the protection to the appropriate Firewall Policy with Authentication (identity based) enabled :
4.2 Test and Verification
A - Accessing any site, the Firewall Authentication page will appear first ; assume you log in with user1 (instead of user2) :
|
B- Once authenticated, if the Web site belong to an override Category, users will get the Override option :
 |
 |
D- Otherwise, access will be granted to the initial Web page without any further authentication
Scenario 5
- Block access to ALL Web Categories for ALL users- Allow only the IP address 10.160.0.10 to access all categories
- Rule must be only valid until November 10th 2009
5.1 Configuration
A- As no authentication is involved in this example, no action is required at User Group setting level
B- Enable the necessary options in the desired protection profile ; in this case allow Override for all Categories :
C- Create an Administrative Override Rule : UTM--> Web Filter --> Override --> Admin Rule --> Create New , and enter all necessary information as per below :
D- Enable the appropriate Protection Profile in the Firewall Policy :
5.2 Test and Verification
A - Accessing any site from 10.160.0.20 (instead of 10.160.0.10) , the following page will appear :
|
B- If the user click on Override, because the source IP is not the one defined in the Administrative rule, the following page will appear :
|
C- Otherwise, if the source IP is 10.160.0.10, access will be granted to the initial Web page directly
Scenario 6
- Block access to ALL Web Categories for ALL users- Allow the users that will use a particular protection profile called "fguard-scenario6_a" to access, without Firewall authentication, the categories "Potentially Liable" and "Controversial", as well as "www.fortinet.com" , - This will include User1; rule valid only until August 15th 2010
- Allow User2 to access (only) the full Category "Business Oriented" with Firewall authentication ; rule valid only until August 15th 2010
- Allow user group of User3 to access all categories with Firewall authentication ; rule always valid
Note 1 : there would be multiple variants to achieve this goal, in this example we will use 2 Firewall Policies to distinguish User1, User2 and User3.
6.1 Configuration
We will need 2 protection profiles in order to distinguish the different override rules.fguard-scenario6_a is used for User1 in particular, and fguard-scenario6_b will be used for the other users. They will however both look the same :
B - Because the rule for the group of User3 must always be valid, we will create separate groups and use FortiGuard Override for User3 at User Group level :
C - Distinguish the traffic for user1, user2 and user3 in at least 2 Firewall Policies :
Note the use of Authentication for User2 and User3, and the 2 different Protection Profiles :
D- Create the Override rules
See Rules 1 and 2 are specific to the requirement for user1 - Rule 3 concerns user2 . No rule is present for user3 as this is defined at User Group level.
See Rules 1 and 2 are specific to the requirement for user1 - Rule 3 concerns user2 . No rule is present for user3 as this is defined at User Group level.
Troubleshooting
The Fortigate will log the Web access with the following log examples (From the GUI : Log&Report --> Log Access --> Select "Web Filter Log"
| 94
2009-01-01 07:43:08 notice 1795 10.160.0.20 y.y.z.t www.fortinet.com / URL belongs to an override rule |
or
| 124 2009-01-01 07:55:09 notice 3902 10.160.0.10 y.y.z.t www.my_blocked_site.com / URL belongs to a denied category in policy |
Some FortiGuard Error Web pages
Web Filtering Block Override :
"Only user based overrides are allowed and you do not appear to be authenticated with the system. Please contact your administrator"
Root Cause : At User Group level, you have selected Override Scope = User or User Group but not enabled Authentication on the Firewall Policy
Web Filtering Block Override :
There are no user-groups with permissions to create overrides for this protection profile.
Root Cause :
- There is an Administrator rule with Scope = User or User Group but not enabled Authentication on the Firewall Policy
- The username in the User Group does not correspond to the one defined in the Administrator rule
- The IP address of the source device or the Protection Profile in the matching Firewall Policy do not correspond to the one defined in the Administrator rule
Related Articles
Troubleshooting Tip: WEB filtering rating problems when using FortiGuard rating by IP and URL
