- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Make Whitelisting IP addresses easier
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make Whitelisting IP addresses easier
White listing internal IP addresses is incredibly complicated for no reason right now. I've been reading through posts about how to do it all day, trying to find a solution that works and I cant help but think that it could just be developed a better way. Here is what I suggest: with the fortigate 60D
Under - Security Profiles>Web filter>Allow users to override blocked categories
there is an option called "switch applies to" where you can select IP, however it doesn't let you enter an IP or even change any of the options.
Why not make it so I can simply add an IP to that category and then that IP will be able to override the filter.
Not only will this make it easier for users but will also make sudden changes to a networks needs to be easier to implement.
There are many users who have asked this question online so it would definitely help customers and I doubt it would be any harder/costly to develop than wasting money having technicians spend their time replying to posts year after year to solve the same issue for every customer that can't figure out how to implement this with their specific needs.
It would also vastly help people filtering windows updates which has to be a concern for anyone using your product.
Thanks, Hope y'all take my suggestion seriously
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could simply create address objects (and then address group) and create policies with those as destination in policies without web filter profile attached.
That should simplify white listing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I imagine you are referring to whitelisting IP addresses in regards to web filtering? That is already very possible and easy to implement. In short- you create a policy above your "main" web filtering policy with the IPs you want to whitelist as the destination.
The firewall processes traffic according to the policies from top down, so you need to make sure your policies are set from most specific to least in order to properly handle traffic without causing shadowed or redundant rules. In a simple example, you have a policy for web access with the source as all internal IPs, destination all external IPs, services HTTP and HTTPS, with a web filter security profile inspecting traffic. Create an address group called "web filter exempt destinations" or whatever you want to call it. Add address objects to that group with the IP addresses of the destinations you want to exempt. Create a new policy above your main web filter policy with the source as all internal IPs (or whichever internal address objects are allowed to get exempted), destination as web filter exempt destinations, services HTTP and HTTPS, and no web filter policy (or a different web filter that only monitors). When you find you need an IP whitelisted, just create an address object for it and add it to the exempt address group.
The traffic flow will be that your client will hit the first rule when browsing to a page hosted on exempted IPs and not get web filter blocked, but when they browse to other sites they will get the second more broad policy with standard filtering.
The first caveat to this is if your exempt list starts to contain many addresses, it may affect firewall performance (especially on smaller models) as the system needs to parse through a much larger and more complex ruleset. In general, pure firewalling performance is much faster than traffic inspection and it might not realistically become noticeable in most cases, but probably avoid hundreds or thousands of individual address objects.
You want to be very careful about whitelisting external IPs, especially if they are on shared hosting. If something bad is hosted at the same IP address as something you originally whitelisted, the firewall will not really be able to tell and will let that traffic through. This is less of an issue for trusted vendors or internal or DMZ web pages.
If you do web filter based usage reporting, you may want to create a separate web filter that does monitor only to keep visibility into the web traffic for these addresses. We do periodic reviews of web usage to find things out of the ordinary- exempting a bunch of traffic from web filtering altogether would skew some of this data since it would not be picked up. This would also help with the previous issue as it would pick up the URL being requested and if someone notices a bad URL passing through the exemption rule, you could perform some tweaking to stop it.
CISSP, NSE4
CISSP, NSE4
Related Posts
- Proper way to setup multiple public... 3192 Views
- whitelist specific user IP address from... 1701 Views
- Whitelisting attachment filter for a specific... 1787 Views
- URLs access required by fortiauthenticator to... 326 Views
- VPN-SSL : routable ip address on... 580 Views
Labels
-
FortiGate
6,524 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.