Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHR57
New Contributor III

Created on ‎10-08-2019 03:41 AM

Web Filter / Static URL filter

I have no Internet access out from a vlan. I would just allow certain URLs to be allowed.

I have created a policy that I have added a Web Filter to.

In the Webfiler I have added Static URLs. For example:

URL *mcdonalds.com

Type Wildcard

Action Allow

Status Enable

 

I end the Statatic URL with:

URL *

Type Wildcard

Action Block

Status Enable

 

Is this the right way to do it?

If the request matches this policy source, destination etc it looks like the last * Block stops the request from continuing go throw other policies.

 

 Fortios 5.6.9

CR
CR
Preview file
120 KB
4437
0 Kudos
1 Solution
sw2090
Honored Contributor

Created on ‎10-08-2019 11:26 PM

I think this will not work as two of your url filter rules will match this. What mathes *mcdonalds.com also matches the block all rule you have. So this means first rule will grant access to *mcdonalds.com but the 2nd coming aftr it will block it - in summary it will then be blocked since the block all rule is tlhe last rule.

This should do if you set the action for *mcdonalds.com to exempt instead of allow because allow does not stop the filter from proving against further rules and cathegories but exempt does just that.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1592
0 Kudos
2 REPLIES 2
Dave_Hall
Honored Contributor

Created on ‎10-08-2019 10:30 AM

It may work, assuming you are using deep (full SSL) inspection.  If you are not using full SSL, you likely need to apply security certificate inspection.  e.g. most all sites these days use HTTPS (encrypted connections).

 

If you peek at the security certificate for the site you are blocking/unblocking, you can see the website name, which should match the URL you are trying to block/unblock. 

 

Alternate FQDNs may also be listed in the security certificate.  You may need to apply/add other URL filters to completely block/unblock a site.  Also keep in mind that some sites might be pulling page elements from other domains.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
90 KB
1551
0 Kudos
sw2090
Honored Contributor

Created on ‎10-08-2019 11:26 PM

I think this will not work as two of your url filter rules will match this. What mathes *mcdonalds.com also matches the block all rule you have. So this means first rule will grant access to *mcdonalds.com but the 2nd coming aftr it will block it - in summary it will then be blocked since the block all rule is tlhe last rule.

This should do if you set the action for *mcdonalds.com to exempt instead of allow because allow does not stop the filter from proving against further rules and cathegories but exempt does just that.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1593
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.