Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
navin_cool
New Contributor

How to configure Static URLfilter in Fortigate 4.0 with FortiGuard license expired

Hi,

We are using Fortigate 200A with version 4.0 (MR2 Patch 2) and Fortiguard license expired.

Now, we are planning to block few websites to overcome Internet Bandwidth high utilization issue.

I have configured Webfilter under UTM services, but it does not work. I think its because of no FortiGuard active licence.

 

I heard that we can use Static Filter list here. Can someone guide me, how to use it, since I do not see static filter option in GUI mode. Or is there any other way to block websites without having Fortiguard active license.

 

Thanks and Regards

Naveen

2 Solutions
emnoc
Esteemed Contributor III

 

The whole thing won't work without a license.

 

 

I have to disagree and what the op wants todo is to place static entries and NOT use fortiguard ( assumption ). This will work but is not reccommend by FTNT and could cause issues with blocking legit sites if done in-correctly.

 

You could define a filter to block wildcard and then add the sites that you want to allow or even the vice-versa block sites specific & then with a wildcard  allowance. BTW I've done this in K-12 edu with site allowances.

 

Be very very very careful in  your approach and method. BUT categorization and with a expired fortiguard license will most likely break all.

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

Allwyn_Mascarenhas

navin.cool wrote:

you are referring static filtering as web filter, which is part of Fortiguard services. 

So, in your case, do you have active fortiguard license ?

 

For me, this license expired already.

Yes my license is active.

 

Inside webfilter below the categories you see the url filter option. And yes it's in web filter.

View solution in original post

17 REPLIES 17
navin_cool

I can see "web filter" under UTM. But I think this is part of FortiGuard.

The doc  which you suggested is referring to the same.

But I am looking for static Filtering. How to start with "Static Filter" configuration ?

 

Allwyn_Mascarenhas

navin.cool wrote:

I can see "web filter" under UTM. But I think this is part of FortiGuard.

The doc  which you suggested is referring to the same.

But I am looking for static Filtering. How to start with "Static Filter" configuration ?

 

I really don't think there is any such feature, did you this in any docs or videos? Share that link, maybe we can figure something out then.

 

Even googling "fortigate static filter" brings up url filter in the results.

 

Also you should try their chat support.

navin_cool

ahhhh, then what you mean for below one of your reply.

----------------------------------------------------------------------------------------------------------------------

"With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.  

and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on."

----------------------------------------------------------------------------------------------------------------------

 

I too get the same result when I do googling :)

 

 

Allwyn_Mascarenhas

navin.cool wrote:

ahhhh, then what you mean for below one of your reply.

----------------------------------------------------------------------------------------------------------------------

"With no license fortigate webfiltering will not work AT ALL. It will just block all legit traffic as well.

and on using static filtering i'm in the middle of doing this with fortinet TAC. HTTPs won't be blocked with this unless you install cert on clients with ssl inspection on."

----------------------------------------------------------------------------------------------------------------------

 

I too get the same result when I do googling :)

 

i was referring to url filter as static filtering all along as i thought you were doing the same. My requirement was to block https without ssl inspection which is current on going. So static filtering is used there, but i doubt it can block https. So waiting for TAC's further response now.

navin_cool

you are referring static filtering as web filter, which is part of Fortiguard services. 

So, in your case, do you have active fortiguard license ?

 

For me, this license expired already.

Allwyn_Mascarenhas

navin.cool wrote:

you are referring static filtering as web filter, which is part of Fortiguard services. 

So, in your case, do you have active fortiguard license ?

 

For me, this license expired already.

Yes my license is active.

 

Inside webfilter below the categories you see the url filter option. And yes it's in web filter.

navin_cool

Ok, its clear now.

So, in my case I can not do any filtering, until get the new fortiguard license.

 

Thanks guys, for your great knowledge sharing.

 

Allwyn_Mascarenhas

emnoc wrote:

Do you have  Fortiguard  service license and is it active? In that example you reference, I believe they are blocking by web category ( Social Networking ) and by  extracting the CN field from the cert , so we can drop the session without  ssl-deep-scan

 

e.g look at the  receiving the  cert in the server.hello

 

id-at-commonName=*.facebook.com

are you saying we ought to use this exact name as shown in the cert. In TAC's response he suggested *.facebook.*

 

 

Further in the doc on using url filter, they only ask you to use *facebook.com.