Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
soradog
New Contributor

Using Web Filtering & SSL/SSH inspection & Application Control at the same time

Hey guys,

 

I'm struggling with enabling Web Filtering, SSL/SSH inspection, and Application Control simultaneously.

 

What I want to achieve through this is:

 1. Block all the access except for some endpoints

     (e.g. need to allow access to windowsUpdate, Office365(authentication), AntiVirusSoftware(Updates) )

 

   to accomplish this, 

   I set, in URL filtering, * to be blocked(name: *, action:block) so that all the access be blocked

   and above that set some URLs to be allowed(*.microsoftonline.com, *office365* for example)

   Though it only works for HTTP, (HTTPS is not blocked)

   I also enabled SSL/SSH certificate-inspection and set action to block.

   

  Here I could allow access only to the URL examples.

 

 2. Allowing some applications(also denying other applications)

    it's so hard to check all the URLs needed to allow for every application we use in our company,

    so I'm thinking of using Application Control to allow/deny specific application traffic.

    

    But here's the problem.

    My vision is, while Controlling access through Web Filtering & SSL/SSH inspection.

    allow some application traffic listed as the signatures.

    

    But it doesn't work; if I block every category of Application Control, and allow some signatures,

    URLs whitelisted above don't work anymore.

    

    Is it impossible to use Web(URL)Filtering, SSL/SSH inspection and Application Control at the same time?

 

    

3 REPLIES 3
dmcquade
New Contributor III

Yes. It is possible to use all 3 at the same time.

 

In a 5.4 platform use the following guide:

For your Application Control, block the categories you want blocked in all instances such as "botnet"; set monitor to categories you want logs for and allow for categories you don't want logged.

 

In your webfilter, block the categories you don't want users to have access to. Use the URL filter to create exceptions. If you want to create a specific set of URLs for access, block all categories and create a URL filter of allowed sites (simple and wildcard). Sometimes I will create a webfilter that allows only the "Information Technology" category and then add sites to the URL filter.

 

For your SSL/SSH Inspection profile, if you are doing Full Inspection (DPI) make sure you use a CA certificate that the workstations can validate. Set the SSL Inspection option to "Multiple clients connecting to Multiple servers" and that the protocols to inspect have HTTPS enabled and your CA certificate selected.

 

You browsing rule should have HTTP and HTTPS for the service. Add the security profiles created and make sure you also have a protocols profile selected. The default is typically fine for most configurations.

soradog

Thanks for reply DMCquade.

 

I understand the simultanoues usage of Web Filtering&SSL/SSH inspection & Application Control is possible.

 

But still I have some questions:

 1. Is it possible to deny access except for some apps by Application Control,

     and then allow access to some URLs by Web Filtering?

 

     in the normal, proxy-mode,

     Application Control is first done so what Application Control drops won't go to further steps.

     

     But I want to achive is to pick up some URLs by Web Filtering(use like Whitelist) 

     that are already blocked by Application Control.

 

    Or are there any substitute solutions for this?

    

    I need everyones's help

dmcquade
New Contributor III

If you block the application category, you cannot define webfiltering exceptions. You need to monitor the category in the App Control, block it in webfiltering and define exceptions in the URL filter or Web Content filter options. For example, say you wanted to block access to File Sharing and Storage but allow access to Dropbox. Set Storage/Backup in App control to monitor, Block the File Sharing and Storage category in your webfilter and add *.dropbox.com to the Statis URL filter as Allowed. Some sites have dependencies on other URLs so review the logs to get a list of domains, subdomains, and URLs you may need to add exceptions for.

 

Hope that helps

d

Labels
Top Kudoed Authors