FortiOS 6 – Web Filtering

Using cookies to authenticate users in a Web Filter override

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.

CLI syntax:

config webfilter cookie-ovrd set redir-host <name or IP> set redir-port <port>

end

config webfilter profile edit <name> config override set ovrd-cookie [allow | deny] set ovrd-scope [user | user-group | ip | ask]

set profile-type [list | radius] set ovrd-dur-mode [constant | ask] set ovrd-dur <duration> set ovrd-user-group <name> set profile <name>

end

end

end

External dynamic block lists

This feature introduces the ability to import (dynamically) an external block list in the form of a text file (containing a list of either addresses or domains), which resides on an HTTP server. You can use this block list to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a Source/Destination in proxy policies. The block list is stored as an external resource, which is dynamically imported to the FortiGate at a configured interval (or refresh-rate) in order to maintain an updated list.

Using cookies to authenticate users in a Web Filter override

In each profile, the administrator can configure multiple external block lists.

The external dynamic URL block lists can be configured under System > External Resources.

The External Resources edit page provides the following fields: l Type

  • FortiGuard Category – The resource Name will appear as a “Remote Category” in Web Filter profiles and SSL inspection exemptions.
  • Firewall IP Address – The resource Name will appear as an “External Domain Block List” in DNS Filter profiles and as a “Source/Destination” in proxy policies.
  • Domain Name – The resource Name will appear as an “External Domain Block List” in DNS Filter profiles.
  • URI of external resource – The link to an external resource file. The file should be a plain text file with one domain each line and supports simple wildcard.
  • Refresh Rate – The time interval to refresh external resource (1 – 43200 minutes). l The size of the file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.

The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:

mail.*.or.th *-special.de.vu http://www.*de.vu 610-pawn.com

aaliyah-hq-gallery.de.vu abcgolocal.com

The address resource is a text file which contains an IP/IP range for each line (note that only IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored). For example:

1.1.1.1

10.0.0.70

2.1.1.1

100.0.0.1-100.0.0.100

10.0.0.99-10.0.0.201

1.2.2.2/24

Syntax

config system external-resource edit <name> set type {category | address | domain}

set category <value> set comments [comments] set resource <resource-url> set refresh-rate <minutes> set last-update <datetime>

next

end

You can also configure one or more external domain block lists under config dnsfilter profile. See “DNS filter ” on page 120for more information.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.