Category Blocking in Firewall Policy

HeraldGoSison · ‎12-08-2023

Hi Experts,

i am very new to Fortinet so i am abit confused on how web filter via category blocking worked in firewall policy.

I want to block facebook to all users/devices but i want to have some exemptions to certain users/devices.

Would these method below will work?

1) Allow the exempted users to facebook

2) block all users to facebook

3 any any any allow

i am used to configure cisco FTD FMC and thede method worked i am not sure in Fortinet because in Fortinet once you select a category all categories will be included unlike in cisco that only the categories you want to allow or block will be included in the rules you are creating.

one more thing if i will upgrade the firmware would it require a reboot? Can i revert back to old firmware incase i am not happy with the newly installed firmware?

Thank you and morr power to all!

payas60 · ‎12-08-2023

Create/Clone a URL Filtering Profile that will allow and log (alert) all safe categories, then uncheck the “log container page only” option on the URL Filtering Profile. Apply this URL Filtering Profile to your catch all policy. If you still don’t see what you are hoping for, then possibly your previous policy is silently blocking the URLs you are in search of. In that case, swap the policies briefly to gain visibility.

https://xender.vip/

HeraldGoSison · ‎12-08-2023

Hi Sir,

this is my current firewall policy created and i noticed that the policy 1 - 3 does not have any hit counts so i assume the policy was bypassed or not being used.

and regarding the "log container page only" i cannot see any option on that one.

hbac · ‎12-08-2023

Hi @HeraldGoSison,

You will need two separate firewall policy and web filter profile.

1. Create a web filter profile with Social Networking set to Allow and put it in a firewall policy for exempted users. This policy should be above.

2. Create a web filter profile with Social Networking set to Block and put it in a firewall policy for all users.

3. any any any allow is not a good practice. There is already a default implicit deny policy at the bottom of the list.

Regards,

hbac · ‎12-08-2023

And yes, upgrading the firmware will require a reboot. It is also possible to rollback.

HeraldGoSison · ‎12-08-2023

Hi Sir,

This is what i made.

Rule #1 is allow FB, Youtube and Spotify. assign source to LDAP group that i am part of and department 1&2.

Rule #2 is allow Youtube and Spotify only. assign source to LDAP group that is department 3

Rule #3 is allow spotify only. assign source to LDAP group that is department 4

Rule #4 is blocked FB, Youtube and spotify to all users inside the network

but still i cannot access either fb, youtube and spotify. does assigning from the source field for user remote groups via LDAP worked? or is there other way to add user remote groups? Or do i need an SSO agent installed in our domain controllers so that it will recognize user and groups?

hbac · ‎12-08-2023

@HeraldGoSison,

If you want to allow/deny based on LDAP users, you need to use FSSO. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/450337/fsso

Regards,

HeraldGoSison · ‎12-08-2023

hi sir i am following a certain youtube tutorial on how to connect using FSSO but upon checking i dont have FOrtinet Single SIgn On Agent in my Fabric connectors. how can i add it?

hbac · ‎12-08-2023

@HeraldGoSison,

Looks like you are using an older FortiOS version. You can check Security Fabric > External Connectors. Please refer to https://docs.fortinet.com/document/fortigate/6.4.14/administration-guide/503764/fsso-polling-connect...

Regards,

HeraldGoSison · ‎12-09-2023

Hi Sir,

i tried following the instructions from the article you sent but after setting up the Security Fabric-> External Connectors

i did not see a Local FSSO agent only the Active Directory Connector as instructed by the article.

i have also upgraded my FortiOS version to 7.0.12. What FortiOS should i use to make this functional?