Hot!Web Filter / Static URL filter

Author
CHR57
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/06 23:32:01
  • Status: offline
2019/10/08 03:41:45 (permalink)
0

Web Filter / Static URL filter

I have no Internet access out from a vlan. I would just allow certain URLs to be allowed.
I have created a policy that I have added a Web Filter to.
In the Webfiler I have added Static URLs. For example:
URL *mcdonalds.com
Type Wildcard
Action Allow
Status Enable
 
I end the Statatic URL with:
URL *
Type Wildcard
Action Block
Status Enable
 
Is this the right way to do it?
If the request matches this policy source, destination etc it looks like the last * Block stops the request from continuing go throw other policies.
 
 Fortios 5.6.9
post edited by CHR57 - 2019/10/08 03:44:58

Attached Image(s)

#1
Dave Hall
Expert Member
  • Total Posts : 1504
  • Scores: 165
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Web Filter / Static URL filter 2019/10/08 10:30:49 (permalink)
0
It may work, assuming you are using deep (full SSL) inspection.  If you are not using full SSL, you likely need to apply security certificate inspection.  e.g. most all sites these days use HTTPS (encrypted connections).
 
If you peek at the security certificate for the site you are blocking/unblocking, you can see the website name, which should match the URL you are trying to block/unblock. 
 
Alternate FQDNs may also be listed in the security certificate.  You may need to apply/add other URL filters to completely block/unblock a site.  Also keep in mind that some sites might be pulling page elements from other domains.
 

Attached Image(s)


NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#2
sw2090
Gold Member
  • Total Posts : 427
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Web Filter / Static URL filter 2019/10/08 23:26:18 (permalink)
0
I think this will not work as two of your url filter rules will match this. What mathes *mcdonalds.com also matches the block all rule you have. So this means first rule will grant access to *mcdonalds.com but the 2nd coming aftr it will block it - in summary it will then be blocked since the block all rule is tlhe last rule.
This should do if you set the action for *mcdonalds.com to exempt instead of allow because allow does not stop the filter from proving against further rules and cathegories but exempt does just that.
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5