- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Creating a URL Whitelist for an SSID
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating a URL Whitelist for an SSID
I'm the "IT guy" at a small manufacturing company, but kind of a noob at firewall configs. We have several computers on the shop floor used to access an intranet to get production drawings and the like from a local LAN server. These machines do not have access to the internet, only the resources on the local LAN via a specific SSID.. We are changing our anti-virus system to "WebRoot" that requires the end points to have access to the internet in order to get signature files and be managed from the cloud. I'm trying to create a URL based white-list to allow these shop floor machines to be able to connect to the needed webroot servers but still block all other internet traffic on that SSID. What I've done so far: Device: 200D Firewall OS: 5.4.1 I started by creating a policy that will allow the SSID to have internet access. The policy works, enabled they get full internet, disabled, no internet. Good so far. I then created a Web filter under Security Profiles (see pic attached), this is where it starts to get foggy for me. I initially created one URL filter using a wildcard of "*" and an action of "Block". Assuming that if this filter was added and enabled on the previous policy that it would block all internet traffic other than sites listed above it. This part is not working, we are still getting access most internet sites, though some sites come up as blocked, but far from the white-list I'm hoping for. Using the 5.4 FortiOS handbook is a bit overwhelming for what I think should be a basic task. I could also be coming at this from entirely the wrong direction. Any help in accomplishing this task would be greatly appreciated.
Thanks in advance.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Symantec Endpoint Protection Management, Windows System Update Service allow me to create a Virtual Machine Server on our domain to push out updates to the users without them going to the internet to get them? The benefit of this is 1.) Only one server goes to the internet for updates instead of every workstation and VM 2.) I can decline what I don't want installed 3.) I can see who is upgraded and what has failed. Can your application be installed on a VM like these?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've looked at a product like Symantec that has a central console that can push updates to non-internet connected LAN machines. There are a few reasons we are not going that route. Webroot's model works well for us. So creating a filter that will allow ONLY access to the sites needed for Webroot to work is what I need to do.
I have made some progress, and might have a workable solution sometime tomorrow. I'm getting a better understanding of how Fortinet handles web filtering as well as SSL based filtering, so what I'm learning here has some value that way.
Thanks for the reply! 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All I'm looking to do is create an SSID that has web access limited to about a dozen sites, ALL other sites are blocked. This seems like it should be a straight forward function of a firewall. Why does this seem so difficult? I want to create a whitelist, if a site is on the whitelist, it gets in, if not on that whitelist it gets blocked. Currently I have it so that all non whitelisted HTTP sites are blocked (using web filter), as well as many HTTPS sites (though not all, by using SSL/SSH Inspection as recommended by another source). How can I block all sites EXCEPT for those on my whitelist. This should not be that difficult to accomplish, or is my understanding of this not accurate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you need a rule for a few computers/servers that only allow a few sites in and blocks all other traffic. Can you move them to their own VLAN to isolate them better. You can create a VLAN based rule using an ACL list that allows only TCP traffic to those sites and blocks IP ANY ANY is how I would do it in Cisco. Only Fortinet, I would do a IPv4 policy like this Policy 3: Allow VLAN traffic to those sites Policy 4: Deny VLAN traffic for IP
By placing them in a separate VLAN, you can add machines later on.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I setup my 60E over the weekend. It has a Interface called LAN (it was the default name) that is setup for only WIFI. WIFI group would be the devices in that SSID. LAN is not tied to any interfaces on the device. So it is just a virtual interface that has all the WIFI traffic from FWF-60E wife. So I have an outbound rule for LAN to WAN1. This allows LAN (all WIFI traffic) out to the internet with any traffic. I can post it tonight, the setup.
SOURCE: those workstations / servers in a address group
DESTINATION: The sites you want them only to use SERVICE: HTTPS (443) and HTTP (80) ports only Put it as top rule
Rule underneath it would be denying them from everything else.
Related Posts
- Can't connect WPA 2 enterprise ssid 269 Views
- U422EV Ethernet Bridge 306 Views
- Configuration for Creating Separate 2.4GHz and... 1729 Views
- Bridge mode SSID disconnect when create... 307 Views
- Need help setting up FortiNAC as... 1914 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.