Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Subrata
New Contributor

web filtering issue

in my office I have two FGT310B Firewalls in HA. I have created schedule for accessing Facebook and Youtube means during the lunch hour only people should be able to access FB and Youtube. accordingly I have created the policy enabling Web Filtering and application control so that at normal working hour people would not be able to access FB and Youtube . But what I am finding if any person logged on once during the lunch break he just stayed logged on after the lunch time is over as well. and the Web filter and application control is not working in this case. But yes Fresh logging to Facebook and Youtube does not happen according to the policy after lunch hour. if any body can help on this.
8 REPLIES 8
netmin
Contributor II

Hi Subrata, have you already tried " set schedule-timeout enable" in your lunch hour policy?
Subrata
New Contributor

Hi Thanks for your response. I have enabled the schedule Timeout in the lunch hour policy. but still face book is still opening. The Firmware version of the the Firewall is v4.0,build0665,130514 (MR3 Patch 14). Should I upgrade it or there is some other way. please find the config snap FG300B3912600448 (49) # show config firewall policy edit 49 set srcintf " HOTSPOT_AREA" set dstintf " port3" set srcaddr " all" set dstaddr " all" set action accept set schedule " Non Working" set schedule-timeout enable set service " ALL" set utm-status enable set logtraffic enable set av-profile " wmg2" set webfilter-profile " Streaming and Social Medial allow" set application-list " default" set profile-protocol-options " WMG1" set nat enable next end
Warren_Olson_FTNT

Is it just for a little while they can surf after lunch or like the rest of the day? I was thinking it could be related to an existing session having an accept status tied to it during lunch, and afterwards the traffic continues to use that session until it expired/got cleared/etc which it should eventually do.
Subrata

Hi Actually if it logged in once during the lunch time it will be continued to be logged in for the rest of the day. If it is been refreshed then the blocking policy will work. I don' t know how to solve this problem.
Nihas
New Contributor

I also have the same configured for the users to access the social media sites. But in my case after their leisure time ( 1:00 PM- 2:00 PM) everything is getting blocked. Only problem I' ve seen is few users will buffer the whole video ( A video with 2 hours, or a movie :p ) during the period and they can enjoy watching the same even after the leisure time. What I can suggest you to have a latest one . Mine is 5.2, but you can try with 5.0.[7-9]
Nihas [\b]
ede_pfau
Esteemed Contributor III

You could prevent excess buffering with a per-IP-traffic shaper if you wanted to.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Nihas
New Contributor

Thanks Ede! I didn' t think about that option till now :) Where should I apply per IP shaper? On firewall policy or on the relevant " Application sensor" ? It seems the application sensor has an option to bind a " Shared Traffic Shaper" , but I am not able to bind a " Per IP one" . And here also , how do we restrict the usage quota instead of limiting the bandwidth? Is there any options to set the usage limit for an user? For example, Corporate communication team needs some 5 GB /Day , while finance team doesn' t need that much. Do we have any such option to limit the quota for each user ?
Nihas [\b]
ede_pfau
Esteemed Contributor III

a lot of questions...I' m not an expert on TS but I' ll try to answer some. Having the TS in a policy offers more flexibility, as you can shape download and upload traffic independently. To have the TS effect limited to the application you are targeting can be a little complicated though. If it' s determined by ' service' , OK. But in other cases (like ' Facebook downloads' ) you have to resort to AppControl and its shapers. BTW the 5.2 manual states that both shared and per-IP shapers are available in AppCtrl. Quotas were once a part of FortiOS. I think (but am not sure) that they are not available anymore in FOS 5.x. Maybe you could read up for that and update us on it. HTH.

Ede

"Kernel panic: Aiee, killing interrupt handler!"