Helpful ReplyHot!IP

Author
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
2020/01/26 13:39:05 (permalink)
0

IP

Hello, Im new to fortigate and was wondering if anyone knows how to exempt a specific ip address from web filtering? Thanks in advance
#1
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: IP 2020/01/26 20:56:21 (permalink) ☄ Helpfulby lexx 2020/01/26 21:19:45
5 (1)
Probably same as any other firewalls. I would create a new policy for HTTP/HTTPS and specify the IP as the destination address and "accept" action, then don't apply the web filtering profile. And then place/move it one above the existing web filtering policy.
#2
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: IP 2020/01/26 21:04:20 (permalink)
5 (1)
You probably meant a "source IP" to exempt. Then put it in the source address on the new policy.
#3
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/26 21:15:18 (permalink)
0
so does this mean it cant be done?
#4
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/26 21:18:25 (permalink)
0
I see. I have no experience what so ever with firewalls but thank you for the advice. Will give it a go and update you :) 
#5
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/26 21:31:16 (permalink)
0
ok i've tried but getting more and more confused. Can anyone walk me through he steps or anything similar please? Much appreciate it
#6
ShawnZA
Silver Member
  • Total Posts : 87
  • Scores: 11
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: IP 2020/01/26 22:53:36 (permalink)
0
Yes it can be done. Do you want to exempt an internal IP (User or device) or an external IP/website?
#7
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/26 22:58:02 (permalink)
0
Exempt an internal IP and also a mobile device for my boss please if you could provide guidance.
#8
ShawnZA
Silver Member
  • Total Posts : 87
  • Scores: 11
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: IP 2020/01/26 23:12:26 (permalink)
4 (1)
Not sure how to add multiple screenshots, so will reply a few times, sorry.
First create the address with the IP of the device as per the attached screenshot
 
 
 
 
 
post edited by ShawnZA - 2020/01/26 23:18:18

Attached Image(s)

#9
ShawnZA
Silver Member
  • Total Posts : 87
  • Scores: 11
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: IP 2020/01/26 23:22:12 (permalink)
5 (1)
Once address created go to Policy And Objects and create a new IPv4 Policy, just make sure the new policy is moved above the policy that the phone is currently hitting on the firewall.
 
Source will be the IP of the device you created
Select whatever services you need, HTTP, HTTPS etc
Do not select the security profiles, or only select the ones you want....
That should be it, if the policy is above the current one the phone will hit the new policy and be excluded from the security scan profiles.
 
 
 
 
post edited by ShawnZA - 2020/01/26 23:24:03

Attached Image(s)

#10
Toshi Esumi
Expert Member
  • Total Posts : 2029
  • Scores: 186
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: IP 2020/01/27 08:29:59 (permalink)
4 (1)
Don't forget to move it above existing policies. You can "drag" it by "ID". FW polcies work in "waterfall" logic from top toward bottom. If anything above matches the traffic including that IP, it wouldn't get to the policy you created.
#11
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/27 11:50:04 (permalink)
0
Thanks this worked like a charm with my boss phone! Just a quick question, will the phone IP change once the user disconnects from the wifi since our network in using DHCP to distribute IP addresses?
 
And this can also be done to a PC using the same steps?
#12
Dave Hall
Expert Member
  • Total Posts : 1636
  • Scores: 174
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: IP 2020/01/27 12:35:46 (permalink)
4 (1)
The IP address (for any device) would need to be reserved in the DHCP IP lease pool.
 
If you rather not have to deal with reserving static IPs, you can always craft firewall policies based on the device mac address.  To do this, first enable Device Detection under the interface (e.g. LAN) then go under "User and Device->Device Inventory", locate the mac address (if you do not see the MAC column just right-click on the column headers and add it), and edit that mac - give the device a name and create or add that device to a new device group (e.g. unfiltered-devices).  When it comes to crafting the firewall policy - much like before you would use the source  "all" followed by the device group name.  The rest of the firewall policy should remain the same.
 
 
 

Attached Image(s)


NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
#13
lexx
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/26 13:36:26
  • Status: offline
Re: IP 2020/01/27 13:04:29 (permalink)
0
So instead of using the IP address to identify the device you substitute it with the Mac address? 
#14
Jump to:
© 2020 APG vNext Commercial Version 5.5