in my office I have two FGT310B Firewalls in HA. I have created schedule for accessing Facebook and Youtube means during the lunch hour only people should be able to access FB and Youtube. accordingly I have created the policy enabling Web Filtering and application control so that at normal working hour people would not be able to access FB and Youtube . But what I am finding if any person logged on once during the lunch break he just stayed logged on after the lunch time is over as well.
and the Web filter and application control is not working in this case. But yes
Fresh logging to Facebook and Youtube does not happen according to the policy after lunch hour.
if any body can help on this.
Thanks for your response.
I have enabled the schedule Timeout in the lunch hour policy. but still face book is still opening.
The Firmware version of the the Firewall is v4.0,build0665,130514 (MR3 Patch 14). Should I upgrade it or there is some other way.
please find the config snap
FG300B3912600448 (49) # show
config firewall policy
set srcintf " HOTSPOT_AREA"
set dstintf " port3"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " Non Working"
set schedule-timeout enable
set service " ALL"
set utm-status enable
set logtraffic enable
set av-profile " wmg2"
set webfilter-profile " Streaming and Social Medial allow"
set application-list " default"
set profile-protocol-options " WMG1"
set nat enable
Is it just for a little while they can surf after lunch or like the rest of the day? I was thinking it could be related to an existing session having an accept status tied to it during lunch, and afterwards the traffic continues to use that session until it expired/got cleared/etc which it should eventually do.
Actually if it logged in once during the lunch time it will be continued to be logged in for the rest of the day. If it is been refreshed then the blocking policy will work.
I don' t know how to solve this problem.
I also have the same configured for the users to access the social media sites.
But in my case after their leisure time ( 1:00 PM- 2:00 PM) everything is getting blocked.
Only problem I' ve seen is few users will buffer the whole video ( A video with 2 hours, or a movie :p ) during the period and they can enjoy watching the same even after the leisure time.
What I can suggest you to have a latest one . Mine is 5.2, but you can try with 5.0.[7-9]
I didn' t think about that option till now :)
Where should I apply per IP shaper?
On firewall policy or on the relevant " Application sensor" ?
It seems the application sensor has an option to bind a " Shared Traffic Shaper" , but I am not able to bind a " Per IP one" .
And here also , how do we restrict the usage quota instead of limiting the bandwidth?
Is there any options to set the usage limit for an user?
For example, Corporate communication team needs some 5 GB /Day , while finance team doesn' t need that much.
Do we have any such option to limit the quota for each user ?
a lot of questions...I' m not an expert on TS but I' ll try to answer some.
Having the TS in a policy offers more flexibility, as you can shape download and upload traffic independently. To have the TS effect limited to the application you are targeting can be a little complicated though. If it' s determined by ' service' , OK. But in other cases (like ' Facebook downloads' ) you have to resort to AppControl and its shapers.
BTW the 5.2 manual states that both shared and per-IP shapers are available in AppCtrl.
Quotas were once a part of FortiOS. I think (but am not sure) that they are not available anymore in FOS 5.x. Maybe you could read up for that and update us on it.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.