Category Archives: FortiGate

Application Control Actions

Application Control Actions

 

Allow

This action allows the targeted traffic to continue on through the FortiGate unit.

 

Monitor

This action allows the targeted traffic to continue on through the FortiGate unit but logs the traffic for analysis.

 

Block

This action prevents all traffic from reaching the application and logs all occurrences.

 

Reset

This action resets the session or connection between the FortiGate and the initiating node.

 

Traffic Shaping

This action presents a number of default traffic shaping options:

  • guarantee-100kbps
  • high-priority
  • low-priority
  • medium-priority
  • shared-1M-pipe

 

View Signatures

This option brings up a window that displays a list of the signatures with the following columns:

  • Application Name
  • Category
  • Technology – Technology is broken down into 3 technology models as well as the more basic Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:
  • Browser-Based
  • Client-Server
  • Peer -to-Peer
  • Popularity – Popularity is broken down into 5 levels of popularity represented by stars. 5 stars representing the most popular applications and 1 star representing applications that are the least popular.
  • Risk – The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur. The Risk list is broken down into the following

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application control concepts

Application control concepts

You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 1000 applications, services, and protocols.

Updated and new application signatures are delivered to your FortiGate unit as part of your FortiGuard Application Control Service subscription. Fortinet is constantly increasing the number of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

To view the version of the application control database installed on your FortiGate unit, go to the LicensInformation dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application Control

Application Control

Using the Application Control Security Profile feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non- standard ports or protocols.

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

You can find the version of the application control database that is installed on your unit, by going to the LicensInformation dashboard widget and find IPS Definitions version.

You can go to the FortiGuard Application Control List to see the complete list of applications supported by FortiGuard. This web page lists all of the supported applications. You can select any application name to see details about the application.

If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure application control separately for each virtual domain.

 

The following topics are included in this section:

  • Application control concepts
  • Application considerations
  • Application traffic shaping
  • Application control monitor
  • Enable application control
  • Application control examples

To view the version of the application control database installed on your FortiGate unit, go to the LicensInformation dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Web Filter Profiles

Configuring Web Filter Profiles

 

Enabling FortiGuard Web Filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

 

General configuration steps

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

3. Select an Inspection Mode.

4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.

5. Configure any Quotas needed. (Proxy Mode)

6. Allow blocked override if required.(Proxy Mode)

7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)

8. Configure Static URL Settings. (All Modes)

9. Configure Rating Options. (All Modes)

10. Configure Proxy Options.

11. Save the filter and web filter profile.

12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

 

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

 

Getting to the Edit Web Filter Profile configuration window

Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional, so to avoid redundancy we will treat each of these sections of options separately, but without dupicating the common instructions of how to get to the profile editing page. Those instructions are here.

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

a. New profile:

i. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) or…

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the Create

New icon in the upper left.

b. Edit existing profile:

i. Select the name of the profile that you wish to edit from the dropdown menu.

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the name of the profile from the list.

3. Make sure there is a valid name, and comment if you want.

4. Configure the settings to best achieve your specific requirements

5. Select Apply or OK, depending on whether you are editing or creating a new profile..

In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to cat- egorize the site. Starting in version 5 of the firmware the parsed URL has been increase to 4Kilobytes, effectively doubling the length of a URL capable of being categorized.

 

To configure the FortiGuard Web Filter categories

1. Go to the Edit Web Filter Profile window.

2. The category groups are listed in a widget. You can expand each category group to view and configure every sub- category individually within the groups. If you change the setting of a category group, all categories within the group inherit the change.

3. Select the category groups and categories to which you want to apply an action.

To assign an action to a category left click on the category and select from the pop up menu.

4. Enable Enforce Quota to activate the quota for the selected categories and category groups.

5. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

6. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully cat- egorize it.

The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.

 

Configuring FortiGuard Category Quotas

1. Go to the Edit Web Filter Profile window

2. Verify that the categories that need to have quotas on them are set to one of the actions:

  • Monitor
  • Warning
  • Authenticate

3. Select the blue triange expand symbol to show the widget for Quotas

4. Select Create New or Edit.

5. In the New/Edit Quota window that pops up enable or disable the specific categories that the quota will apply to.

6. At the bottom of the widget, select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

7. Select Apply or OK.

8. Continue with any other configuration in the profile

9. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

 

Configure Allowed Blocked Overrides

1. Go to the Edit Web Filter Profile window.

2. Enable Allow Blocked Override

3. In the Apply to Group(s) field select the desired User Group

4. In the Assign to Profile field, select the desired profile

 

Configure Search Engine Section

There are 2 primary configuration settings in this section.

 

Enable Safe Search

 

To enable the Safe Search settings

1. Go to the Edit Web Filter Profile window.

2. Enable Safe Search

3. Enable Search Engine Safe Search

4. Enable YouTube Filter

a. Enter the YouTube User ID in the Text field

 

Log All Search Keywords

In the GUI, the configuration setting is limited to a checkbox.

 

Configure Static URL Filter

Web Content Filter

To enable the web content filter and set the content block threshold

1. Go to the Edit Web Filter Profile window.

2. In the Static URL Filter section enable Web Content Filter.

3. Select Create New.

4. Select the Pattern Type.

5. Enter the content Pattern.

6. Enter the Language from the dropdown menu.

7. Select Block or Exempt, as required, from the Action list.

8. Select Enable.

9. Select OK.

 

Configure Rating Options

Allow Websites When a Rating error Occurs

In the GUI, the configuration setting is limited to a checkbox.

 

Rate URLs by Domain and IP Address

In the GUI, the configuration setting is limited to a checkbox.

 

Block HTTP Redirects by Rating

In the GUI, the configuration setting is limited to a checkbox.

 

Rate Images by URL (Blocked images will be replaced with blanks)

In the GUI, the configuration setting is limited to a checkbox.

 

Configure Proxy Options

Restrict Google Account Usage to Specific Domains

Configuring the feature in the GIU

Go to Security Profiles > Web Filter.

In the Proxy Options section, check the box next to Restrict to Corporate Google Accounts Only. Use the Create New link within the widget to add the appropriate Google domains that will be allowed.

Configuring the feature in the CLI

To configure this option in the CLI, the URL filter must refer to a web-proxy profile that is using the Modifying HTTP Request Headers feature. The command is only visible when the action for the entry in the URL filter is set to either allow or monitor.

1. Configure the proxy options:

config web-proxy profile edit “googleproxy”

config headers edit 1

set name “X-GoogApps-Allowed-Domains” set content “fortinet.com, Ladan.ca” end

end end

end

2. Set a web filter profile to use the proxy options

config webfilter urlfilter edit 1

config entries

edit “*.google.com” set type wildcard

set action {allow | monitor}

set web-proxy-profile <profile>

end end

end end

In the CLI, you can also add, modify, and remove header fields in HTTP request when scanning web traffic in proxy-mode. If a header field exists when your FortiGate receives the request, its content will be modified based on the configurations in the URL filter.

 

Web Resume Download block

In the GUI, the configuration setting is limited to a checkbox.

 

Provide Details for Blocked HTTP 4xx and 5xx Errors In the GUI, the configuration setting is limited to a checkbox. HTTP POST Action

Remove Java Applet Filter

In the GUI, the configuration setting is limited to a checkbox.

 

Remove ActiveX Filter

In the GUI, the configuration setting is limited to a checkbox.

 

Remove Cookie Filter

In the GUI, the configuration setting is limited to a checkbox.

 

Web filtering example

Web filtering is particularly important for protecting school-aged children. There are legal issues associated with improper web filtering as well as a moral responsibility not to allow children to view inappropriate material. The key is to design a web filtering system in such a way that students and staff do not fall under the same web filter profile in the FortiGate configuration. This is important because the staff may need to access websites that are off-limits to the students.

 

School district

The background for this scenario is a school district with more than 2300 students and 500 faculty and staff in a preschool, three elementary schools, a middle school, a high school, and a continuing education center. Each elementary school has a computer lab and the high school has three computer labs with connections to the Internet. Such easy access to the Internet ensures that every student touches a computer every day.

With such a diverse group of Internet users, it was not possible for the school district to set different Internet access levels. This meant that faculty and staff were unable to view websites that the school district had blocked. Another issue was the students’ use of proxy sites to circumvent the previous web filtering system. A proxy server acts as a go-between for users seeking to view web pages from another server. If the proxy server has not been blocked by the school district, the students can access the blocked website.

When determining what websites are appropriate for each school, the district examined a number of factors, such as community standards and different needs of each school based on the age of the students.

The district decided to configure the FortiGate web filtering options to block content of an inappropriate nature and to allow each individual school to modify the options to suit the age of the students. This way, each individual school was able to add or remove blocked sites almost immediately and have greater control over their students’ Internet usage.

In this simplified example of the scenario, the district wants to block any websites with the word example on them, as well as the website www.example.com. The first task is to create web content filter lists for the students and the teachers.

 

Create a Webfilter for the students

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Students” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

  • Potentially Liable
  • Adult/Mature Content
  • Security Risk

 

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii.  For the Action field, select Block iv.  For the Status field, check enable v.   Select OK

 

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii.  For the Language field, choose Western

iv. For the Action field, select “Block” v. For the Status field, check Enable. vi.  Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

 

Create a Webfilter for the Teachers

It might be more efficient if the Teacher Web Content List included the same blocked content as the student list. From time to time a teacher might have to view a blocked page. It would then be a matter of changing the Action from Block to Allow as the situation required. The following filter is how it could be set up for the teachers to allow them to see the “example” content if needed while keeping the blocking inappropriate material condition.

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Teachers” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

  • Potentially Liable
  • Adult/Mature Content
  • Security Risk

 

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii.  For the Action field, select Block iv.  For the Status field, check enable v.   Select OK

 

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii.  For the Language field, choose Western

iv. For the Action field, select “Exempt”

v. For the Status field, check Enable.

vi. Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

 

To create a security policy for the students

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage student traffic.

3. Enable Web Filter.

4. Select Students from the web filter drop-down list.

5. Select OK.

 

To create a security policy for Teachers

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage teacher traffic.

3. Enable Web Filter.

4. Select Teachers from the web filter drop-down list.

5. Select OK.

6. Make sure that the student policy is in the sequence before the teachers’ policy.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Advanced web filter configurations

Advanced web filter configurations

 

Allow websites when a rating error occurs

Enable to allow access to web pages that return a rating error from the FortiGuard Web Filter service.

If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines what access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

 

ActiveX filter

Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.

 

Block HTTP redirects by rating

Enable to block HTTP redirects.

Many web sites use HTTP redirects legitimately but in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect.

This option is not supported for HTTPS.

 

Block Invalid URLs

Select to block web sites when their SSL certificate CN field does not contain a valid domain name.

FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:

  • If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
  • If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.

Enabling the Web Filter profile to block a particular category and enabling the Applic- ation Control profile will not result in blocking the URL. This occurs because Proxy and Flow based profiles cannot operate together.

To ensure replacement messages show up for blocked URLs, switch the Web Filter to Flow based inspection.

 

Cookie filter

Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.

 

Provide Details for Blocked HTTP 4xx and 5xx Errors

Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.

 

HTTP POST action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

The available actions include:

Comfort

Use client comforting to slowly send data to the web server as the FortiGate unit scans the file. Use this option to prevent a server time-out when scanning or other filtering is enabled for outgoing traffic.

The client comforting settings used are those defined in the Proxy Options profile selected in the security policy.

 

Block

Block the HTTP POST command. This will limit users from sending information and files to web sites.

When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.

 

Java applet filter

Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.

 

Rate Images by URL

Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.

Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.

 

Rate URLs by Domain and IP Address

Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.

 

Web resume download block

Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.

This prevents the unintentional download of viruses hidden in fragmented files.

Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.

 

Restrict Google account usage to specific domains

This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.

 

Block non-English character URLs

The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.

Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ท     น      -ไ ม   ม   เ ศ ษ ร   ฐป ร ะ ห า ร ใ ห    ใ ค ร แ ด ก /338419686287505?ref=stream).

On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0

%B9%88-%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%A1%E0%B8%B5%E0%B9%80%E0%B8% A8%E0%B8%A9%E0%B8%A3%E0%B8%B1%E0%B8%90%E0%B8%9B%E0%B8%A3%E0%B8%B0%E

0%B8%AB%E0%B8%B2%E0%B8%A3%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B9%83%E0%B8

%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream). Once added, further browsing to the URL will result in a blocked page.

 

CLI Syntax

config webfilter urlfilter edit 1

set name “block_international_character_urls” config entries

edit 1

set url “www.fortinet.com/pages/2.710850E-3120%B8%E0%B8%B53.231533E-

3170%B9%E0%B8%E0%B8%B53.231533E-3170%B9%88-3.230415E-

3170%B9%E0%B80X0.000000063CD94P-102211.482197E-

3230%B9%E0%B80X0.0007FBFFFFCFP-102210.000000E+000%B8%B51.828043E-

3210%B9%E0%B80X0P+081.828043E-3210%B80X0P+092.710850E-

3120%B80X0.0000000407ED2P-102233.236834E-3170%B8%B19.036536E-

3130%B8%E0%B8%9B4.247222E-3140%B80X0P+039.036683E-3130%B8%B02.121996E-

3130%B80X0.0000000000008P-1022B2.710850E-3120%B8%B21.482197E-

3230%B80X0P+030.000000E+000%B9%E0%B80X0P+0B2.710850E-

3120%B9%E0%B9%E0%B8%E0%B80X0.0000000408355P-102232.023693E-

3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream” set action block

next end

next end

 

config webfilter urlfilter edit 2

set name “block_international_character_urls” next

end

 

config webfilter profile

edit “block_international_character_urls” next

end

 

config firewall policy edit 3

set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8 set srcintf “port1”

set dstintf “port2” set srcaddr “all” set dstaddr “all” set action accept

set schedule “always” set service “ALL”

set utm-status enable set logtraffic all

set webfilter-profile “block_international_character_urls” set profile-protocol-options “default”

set ssl-ssh-profile “certificate-inspection” set nat enable

next end

 

WebSense web filtering through WISP

WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to WebSense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

In order to use WebSense’s web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

 

Syntax

config web-proxy wisp set status enable

set server-ip 72.214.27.138 set max-connection 128

end

config webfilter profile edit “wisp_only”

set wisp enable next

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Web content filter

Web content filter

You can control web content by blocking access to web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can also add words, phrases, patterns, wild cards and Perl regular expressions to match content on web pages. You can add multiple web content filter lists and then select the best web content filter list for each web filter profile.

Enabling web content filtering involves three separate parts of the FortiGate configuration.

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day.
  • The web filter profile specifies what sort of web filtering is applied.
  • The web content filter list contains blocked and exempt patterns.

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases in the page. If the sum is higher than a threshold set in the web filter profile, the FortiGate unit blocks the page.

 

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create a web content filter list.

2. Add patterns of words, phrases, wildcards, and regular expressions that match the content to be blocked or exempted.

3. You can add the patterns in any order to the list. You need to add at least one pattern that blocks content.

4. In a web filter profile, enable the web content filter and select a web content filter list from the options list. To complete the configuration, you need to select a security policy or create a new one. Then, in the security policy, enable Webfilter and select the appropriate web filter profile from the list.

 

Creating a web filter content list

You can create multiple content lists and then select the best one for each web filter profile. Creating your own web content lists can be accomplished only using the CLI.

This example shows how to create a web content list called inappropriate language, with two entries, offensive and rude.

 

To create a web filter content list

config webfilter content edit 3

set name “inappropriate language” config entries

edit offensive

set action block set lang western

set pattern-type wildcard set score 15

set status enable next

edit rude

set action block set lang western

set pattern-type wildcard set score 5

set status enable end

end end

 

Configuring a web content filter list

Once you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: Wildcard and Regular Expression.

You use the Wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use the wildcard symbols, such as “*” or “?”, to represent one or more characters. For example, as a wildcard expression, forti*.com will match fortinet.com and forticare.com. The “*” represents any kind of character appearing any number of times.

You use the Regular Expression setting to block or exempt patterns of Perl expressions, which use some of the same symbols as wildcard expressions, but for different purposes. The “*” represents the character before the symbol. For example, forti*.com will match fortiii.com but not fortinet.com or fortiice.com. The symbol “*” represents “i” in this case, appearing any number of times. RP: Add a regex example.

The maximum number of web content patterns in a list is 5000.

 

How content is evaluated

Every time the web content filter detects banned content on a web page, it adds the score for that content to the sum of scores for that web page. You set this score when you create a new pattern to block the content. The score can be any number from zero to 99999. Higher scores indicate more offensive content.  When the sum of scores equals or exceeds the threshold score, the web page is blocked. The default score for web content filter is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

 

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
  • The score for any word in a phrase without quotation marks is counted.
  • The score for a phrase in quotation marks is counted only if it appears exactly as written.

The following table describes how these rules are applied to the contents of a web page. Consider the following, a web page that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.”

 

Banned Pattern Rules

Banned pattern Assigned score Score added to the sum for the entire page Threshold  Comment score

word            20               20                             20                Appears twice but only counted once. Web page is blocked.

word phrase

20               40                             20                Each word appears twice but only counted once giving a total score of 40. Web page is blocked

 

Banned pattern

Assigned score

Score added to the sum for the entire page

Threshold  Comment score

word sen- tence

word sentence”

20               20                             20                “word” appears twice, “sentence” does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. Web page is blocked.

20               0                               20                “This phrase does not appear exactly as written.

Web page is allowed.

word or phrase”

20               20                             20                This phrase appears twice but is counted only once. Web page is blocked.

 

Enabling the web content filter and setting the content threshold

When you enable the web content filter, the web filter will block any web pages when the sum of scores for banned content on that page exceeds the content block threshold. The threshold will be disregarded for any exemptions within the web filter list.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SafeSearch Fortinet Settings

SafeSearch

SafeSearch is a feature of popular search sites that prevents explicit web sites and images from appearing in search results. Although SafeSearch is a useful tool, especially in educational environments, the resourceful user may be able to simply turn it off. Enabling SafeSearch for the supported search sites enforces its use by rewriting the search URL to include the code to indicate the use of the SafeSearch feature. For example, on a Google search it would mean adding the string “&safe=active” to the URL in the search.

 

The search sites supported are:

  • Google
  • Yahoo
  • Bing
  • Yandex

 

Enabling SafeSearch — CLI

config webfilter profile edit default

config web

set safe-search url end

end

This enforces the use of SafeSearch in traffic controlled by the firewall policies using the web filter you configure.

 

Search Keywords

There is also the capability to log the search keywords used in the search engines.

 

YouTube Education Filter

YouTube for Schools is a way to access educational videos from inside a school network. This YouTube feature gives schools the ability to access a broad set of educational videos on YouTube EDU and to select the specific videos that are accessible from within the school network.

Before this feature can be used an account has to be set up for the school with YouTube. Once the account is set up a unique ID will be provided. This ID becomes part of the filter that is used to all access to the educational content of YouTube for use in schools even if YouTube is blocked by the policy.

More details can be found by going to http://www.youtube.com/schools.

 

Enabling YouTube Education Filter in CLI

config webfilter profile edit default

config web

set safe-search url header

set youtube-edu-filter-id ABCD1234567890abcdef end

end

 

Static URL Filter

You can allow or block access to specific URLs by adding them to the Web Site Filter list. You add the URLs by using patterns containing text and regular expressions. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.

URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp:// ftp.example.com. Instead, use firewall policies to deny ftp connections.

When adding a URL to the URL filter list, follow these rules:

  • Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
  • Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls access to the news page on this web site.
  • To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
  • Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.

URLs with an action set to exempt or monitor are not scanned for viruses. If users on the network download files through the FortiGate unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it so the FortiGate unit does not virus scan files downloaded from this URL.

 

 

URL formats

When adding a URL to the URL filter list, follow these rules:

 

How URL formats are detected when using HTTPS

If your unit does not support SSL content scanning and inspection or if you have selected the URL filtering option in web content profile for HTTPS content filtering mode under Protocol Recognition, filter HTTPS traffic by entering a top level domain name, for example, www.example.com. HTTPS URL filtering of encrypted sessions works by extracting the CN from the server certificate during the SSL negotiation. Since the CN only contains the domain name of the site being accessed, web filtering of encrypted HTTPS sessions can only filter by domain names.

If your unit supports SSL content scanning and inspection and if you have selected Deep Scan, you can filter HTTPS traffic in the same way as HTTP traffic.

 

How URL formats are detected when using HTTP

URLs with an action set to exempt are not scanned for viruses. If users on the network download files through the unit from trusted web site, add the URL of this web site to the URL filter list with an action set to exempt so the unit does not virus scan files downloaded from this URL.

  • Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
  • Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls the news page on this web site.
  • To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
  • Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.
  • Fortinet URL filtering supports standard regular expressions.

If virtual domains are enabled on the unit, web filtering features are configured glob- ally. To access these features, select Global Configuration on the main menu.

 

URL Filter actions

You can select one of four actions for how traffic will be treated as it attempts to reach a site in the list.

 

Block

Attempts to access any URLs matching the URL pattern are denied. The user will be presented with a replacement message.

 

Allow

Any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning.

Allow is the default action. If a URL does not appear in the URL list, it is permitted.

 

Monitor

Traffic to, and reply traffic from, sites matching a URL pattern with a monitor be allowed through in the same way as the “Allow” action. The difference with the Monitor action being that a log message will be generated each time a matching traffic session is established. The requests will also be subject to all other Security Profiles inspections that would normally be applied to the traffic.

 

Exempt

 

Exempt allows trusted traffic to bypass the antivirus proxy operations, but it functions slightly differently. In general, if you’re not certain that you need to use the Exempt action, use Monitor.

HTTP 1.1 connections are persistent unless declared otherwise. This means the connections will remain in place until closed or the connection times out. When a client loads a web page, the client opens a connection to the web server. If the client follows a link to another page on the same site before the connection times out, the same connection is used to request and receive the page data.

When you add a URL pattern to a URL filter list and apply the Exempt action, traffic sent to and replies traffic from sites matching the URL pattern will bypass all antivirus proxy operations. The connection itself inherits the exemption. This means that all subsequent reuse of the existing connection will also bypass all antivirus proxy operations. When the connection times out, the exemption is cancelled.

For example, consider a URL filter list that includes example.com/files configured with the Exempt action. A user opens a web browser and downloads a file from the URL example.com/sample.zip. This URL does not match the URL pattern so it is scanned for viruses. The user then downloads example.com/files/beautiful.exe and since this URL does match the pattern, the connection itself inherits the exempt action. The user then downloads example.com/virus.zip. Although this URL does not match the exempt URL pattern, a previously visited URL did, and since the connection inherited the exempt action and was re-used to download a file, the file is not scanned.

If the user next goes to an entirely different server, like example.org/photos, the connection to the current server cannot be reused. A new connection to example.org is established. This connection is not exempt. Unless the user goes back to example.com before the connection to that server times out, the server will close the connection. If the user returns after the connection is closed, a new connection to example.com is created and it is not exempt until the user visits a URL that matches the URL pattern.

Web servers typically have short time-out periods. A browser will download multiple components of a web page as quickly as possible by opening multiple connections. A web page that includes three photos will load more quickly if the browser opens four connections to the server and downloads the page and the three photos at the same time. A short time-out period on the connections will close the connections faster, allowing the server to avoid unnecessarily allocating resources for a long period. The HTTP session time-out is set by the server and will vary with the server software, version, and configuration.

Using the Exempt action can have unintended consequences in certain circumstances. You have a web site at example.com and since you control the site, you trust the contents and configure example.com as exempt. But example.com is hosted on a shared server with a dozen other different sites, each with a unique domain name. Because of the shared hosting, they also share the same IP address. If you visit example.com, your connection your site becomes exempt from any antivirus proxy operations. Visits to any of the 12 other sites on the same server will reuse the same connection and the data you receive is exempt from scanned.

Use of the Exempt action is not suitable for configuration in which connections through the FortiGate unit use an external proxy. For example, you use proxy.example.net for all outgoing web access. Also, as in the first example, URL filter list that includes a URL pattern of example.com/files configured with the Exempaction. Users are protected by the antivirus protection of the FortiGate unit until a user visits a URL that matches the of example.com/files URL pattern. The pattern is configured with the Exempt action so the connection to the server inherits the exemption. With a proxy however, the connection is from the user to the proxy. Therefore, the user is entirely unprotected until the connection times out, no matter what site he visits.

Ensure you are aware of the network topology involving any URLs to which you apply the Exempt action.

 

Status

The Web Site Filter has the option to either enable or disable individual web sites in the list. This allows for the temporary removal of the actions against a site so that it can be later reengaged without having to rewrite the configuration.

 

Configuring a URL filter

Each URL filter list can have up to 5000 entries. For this example, the URL www.example*.com will be used. You configure the list by adding one or more URLs to it.

 

To add a URL to a URL filter

1. Go to Security Profiles > Web Filter.

2. Select a web filter to edit.

3. Under Static URL Filter, enable URL Filter, and select Create New.

4. Enter the URL, without the “http”, for example: example*.com.

5. Select a Type: Simple (see below), Wildcard, or Regular Expression. In this example, select Wildcard.

6. Select the Action to take against matching URLs: Exempt, Block, Allow, or Monitor.

7. Select Enable.

8. Select OK.

 

Simple‘ filter type

If you select the Simple filter type for a URL filter, the syntax is performing an exact match. Note, however, that the domain and path are separate entities in HTTP despite the fact that a user types them as a single entity and, in the case of ‘simple’, the rules for each part (domain and path) are different.

 

The ‘domain’ part

For the domain part, the goal of the ‘simple’ format is to make it easy to block a domain and all its subdomains, such that the admin only has to type “address.xy” to block “address.xy”, “www.address.com“, “talk.address.xy”, etc. but not block “youraddress.xy” or “www.youraddress.xy” which are different domains from “address.xy”.

Also, the actual domain does not include http:// or https:// so this should not be entered or the URL filter will try to match a domain starting with http. For this reason, when you enter http:// in the URL filter via the GUI, it is automatically removed.

A trailing ‘/‘ with the domain is not needed. The GUI URL filter will automatically trim               this, but when using the API to provide the per-user BWL it will not!

Please take this into account. Better not to use it as it might give unexpected results.

 

The ‘path’ part

For the path part, an exact match takes place. For example:

www.address.xy/news

blocks anything that starts with that exact path. So this matches:

www.address.xy/newsies www.address.xy/newsforyou www.address.xy/news/co etc.

Also:

www.address.xy/new

likewise blocks the same as above but includes:

/newt

/newp etc.

which is a much broader filter, matching:

www.address.xy/newstand/co www.address.xy/news/co

etc.

In other words, the more you specify of the path, the more strictly it will match.

Here as well a trailing ‘/‘ with the URL path is not needed, the GUI URL filter will auto-               matically trim this, but when using the API to provide the per-user BWL it will not!

Please take this into account. Better not to use it as it might give unexpected results.

 

Referer URL

A new variable has been added to the Static URL Filter, referrer-host. If a referer is specified, the hostname in the referer field of the HTTP require will be compared for any entry that contains the matching URL. If the referer matches, then the specified action will be performed by proxy.

 

Configuring in the GUI

The configuration can be done in the GUI but only if advance webfiltering features have been enabled by entering the following commands in the CLI:

config system global

set gui-webfilter-advanced enable end

After this command is used, a new column will be created in Security Profiles > Web Filter to set the referer.

 

Configuring in the CLI

When specifying the URL filter, it needs to be identified by its ID. The URLs are listed under each entry. To find the ID number:

config webfilter urlfilter

edit ?

A list of the current URL filters will be listed with their ID numbers in the left column. The syntax in the CLI for configuring an entry is:

config webfilter urlfilter

edit <ID>

config entries edit 1

set url <url>

set referrer-host <url>

set type {simple | regex | wildcard}

set action {block | allow | monitor | exempt}

set status {enable | disable}

end end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Overriding FortiGuard website categorization

Overriding FortiGuard website categorization

In most things there is an exception to the rule. When it comes to the rules about who is allowed to go to which websites in spite of the rules or in this case, policies, it seems that there are more exceptions than to most rules. There are numerous valid reasons and scenarios for exceptions so it follows that there needs to be a way to accommodate this exceptions.

 

The different methods of override

There are actually two different ways to override web filtering behavior based on FortiGuard categorization of a websites. The second method has 2 variations in implementation and each of the three has a different level of granularity.

1. Using Alternate Categories

Rating Override

This method manually assigns a specific website to a different Fortinet category or a locally created category.

2. Using Alternate Profiles

Administrative Override or Allow Blocked Override

In this method all of the traffic going through the FortiGate unit, using identity based policies and a Web Filtering profile has the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

 

Using Alternate Categories

 

Web Rating Overrides

There are two approached to overriding the FortiGuard Web Filtering. The first is an identity based method that can be configured using a combination of identity based policies and specifically designed webfilter profiles. This has been addressed in the Firewall Handbook.

The second method is the system wide approach that locally (on the FortiGate Firewall) reassigns a URL to a different FortiGuard Category and even subcategory. This is where you can set assign a specific URL to the FortiGuard Category that you want to you can also set the URL to one of the Custom Categories that you have created

The Web Rating Overrides option is available because different people will have different criteria for how they categorize websites. Even is the criteria is the same an organization may have reason to block the bulk of a category but need to be able to access specific URLs that are assigned to that category.

A hypothetical example could be that a website, example.com is categorized as being in the Sub-Category Pornography. The law offices of Barrister, Solicitor and Lawyer do not want their employees looking at pornography at work so they have used the FortiGuard Webfilter to block access to sites that have been assigned to the Category “Pornography”. However, the owners of example.com are clients of the law office and they are aware that example.com is for artists that specialize in nudes and erotic images. In this case to approaches can be taken. The first is that the Rating Override function can be used to assign example.com to Nudity and Risque instead of Pornography for the purposes of matching the criteria that the law office goes by or the site can be assigned to a Custom Category that is not blocked because the site belongs to one of their clients and they always want to be able to access the site.

Another hypothetical example from the other side of the coin. A private school has decided that a company that specializes in the online selling of books that could be considered inappropriate for children because of their violent subject matter, should not be accessible to anyone in the school. The categorization by Fortinet of the site example2.com is General Interest – Business with the subcategory of Shopping and Auction, which is a category that is allowed at the school. In this case they school could reassign the site to the Category Adult Material which is a blocked category.

 

Local or Custom Categories

User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a web filter profile. Users can rate URLs based on the local categories.

Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed.

The local assignment of a category overrides the FortiGuard server ratings and appear in reports as “Local” Categories or “Custom” Categories depending on the context.

In the CLI, they are referred to as Local categories. To create a Local Category:

config webfilter ftgd-local-cat

edit local_category_1 set id 140

end

In the GUI they are referred to as Custom Categories. There is a way to create a new category in the Web Based

Manager.

1. Go to Security Profiles > Web Rating Overrides.

2. Instead of creating a new override, you can choose the “Custom Categories” icon in the top menu bar.

3. From the new window select Create New.

4. A new row will appear at the bottom of the list of categories with a field on the left highlighted and the message “This field is required”. Enter the name of the custom category in this field.

5. Select Enter.

 

Configuring Rating Overrides

1. Go to Security Profiles > Web Rating Overrides.

2. Select Create New

3. Type in the URL field the URL of the Website that you wish to recategorize.

4. Select the Lookup Rating button to verify the current categorization that is being assigned to the URL.

5. Change the Category field to one of the more applicable options from the drop down menu.

6. Change the SubCategory field to a more narrowly defined option within the main category.

7. Select OK.

 

It is usually recommended that you choose a category that you know will be addressed in existing Web Filter profiles so that you will not need to engage in further con- figuration.

 

Using Alternate Profiles

 

Allow Blocked Overrides or Web Overrides

The Administrative Override feature for Web Filtering was added and is found by going to Security Profiles > Web Filter and then enabling Allow Blocked Override. This opening window will display a listing of all of the overrides of this type. The editing window referred to the configuration as an Administrative Override.

 

The Concept

When a Web filter profile is overridden it does not necessarily remove all control and restrictions that were previously imposed by the Web Filter. The idea is to replace a restrictive filter with a different one. In practice, it makes sense that this will likely be a profile that is less restrictive the the original one but there is nothing that forces this. The degree to which that the alternate profile is less restrictive is open. It can be as much as letting the user access everything on the Internet or as little as allowing only one addition website. The usual practice though is to have as few alternate profiles as are needed to allow approved people to access what they need during periods when an exception to the normal rules is needed but still having enough control that the organizations web usage policies are not compromised.

You are not restricted to having only one alternative profile as an option to the existing profile. The new profile depends on the credentials or IP address making the connection. For example, John connecting through the “Standard” profile could get the “Allow_Streaming_Video” profile while George would get the “Allow_Social_ Networking_Sites” profile.

The other thing to take into account is the time factor on these overrides. They are not indefinite. The longest that an override can be enabled is for 1 year less a minute. Often these overrides are set up for short periods of time for specific reasons such as a project. Having the time limitation means that the System Administrator does not have to remember to go back and turn the feature off after the project is finished.

 

Identity or Address

In either case what these override features do is, for specified users, user groups or IP addresses, allow sites blocked by Web Filtering profiles to be overridden for a specified length of time. The drawback of this method of override is that it takes more planning and preparation than the rating override method. The advantage is that once this has been set up, this method requires very little in the way of administrative overhead to maintain.

When planning to use the alternative profile approach keep in mind the following: In Boolean terms, one of the following “AND” conditions has to be met before overriding the Web Filter is possible

 

Based on the IP address:

  • The Web Filter profile must be specified as allowing overrides
  • AND the user’s computer is one of the IP addresses specified
  • AND the time is within the expiration time frame.

While the conditions are fewer for this situation there is less control over who has the ability to bypass the filtering configured for the site. All someone has to do is get on a computers that is allowed to override the Web Filter and they have access.

 

Based on user group:

  • The Web Filter profile must be specified as allowing overrides
  • AND the policy the traffic is going through must be identity based
  • AND the user’s credentials matches the identity credentials specified
  • AND the time is within the expiration time frame.

This method is the one most likely to be used as it gives more control in that the user has to have the correct credential and more versatile because the user can use the feature from any computer that uses the correct policy to get out on the Internet.

 

Settings

When using an alternate profile approach to Web Filter overrides the following settings are used to determine authentication and outcome. Not every setting is used in both methods but enough of them are common to describe them collectively.

 

Apply to Group(s)

This is found in the Allow Blocked Overrides configuration. Individual users can not be selected. You can select one or more of the User Groups that are recognized my the FortiGate unit, whether they are local to the system or from a third part authentication device such as a AD server through FSSO.

 

Original Profile

This is found in the Administrative Override configuration. In the Allow Blocked Overrides setting the configuration is right inside the profile so there was no need to specify which profile was the original one, but the Administrative Override setup is done separately from the profiles themselves.

 

Assign to Profile or New Profile

Despite the difference in the name of the field, this is the same thing in both variations of the feature. You select from the drop down menu the alternate Web Filter Profile that you wish to set up for this override.

 

Scope or Scope Range

When setting up the override in the “Allow Blocked Overrides” variation you are given a drop down menu next to the field name Scope while in the Administrative Override configuration you are asked to select a radio button next to the same options. In both cases this is just a way of selecting which form of credentials will be required to approve the overriding of the existing Web Filter profile.

When the Web Filter Block Override message page appears it will display a field named “Scope:” and depending on the selection, it will show the type of credentials used to determine whether or not the override is allowed. The available options are:

 

  • User

This means that the authentication for permission to override will be based on whether or not the user is using a specific user account.

  • User Group

This means that the authentication for permission to override will be based on whether on not the user account supplied as a credential is a member of the specified User Group.

  • IP

This means that the authentication for permission to override will be based on the IP address of the computer that was used to authenticate. This would be used with computers that have multiple users. Example: If Paul logs on to the computer, engages the override using his credentials and then logs off, if the scope was based on the IP address of the computer, anybody logging in with any account on that computer would now be using the alternate override Web Filter profile.

When entering an IP address in the Administrative Override version, only individual IP addresses are allowed.

 

Differences between IP and Identity based scope

  • Using the IP scope does not require the use of an Identity based policy.
  • When using the Administrative Override variation and IP scope, you may not see a warning message when you change from using the original Web Filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just come up in the browser.
  • AsThis option is available only in the “Allowed Blocked Overrides” variation and when used configures the message page to ask which scope the user wished to use. Normally, when the page appears the scope options are greyed out an not editable, but by using the ask option the option is dark and the user can choose from the choice of:
  • User
  • User Group
  • IP Address
  • Duration Mode This option is available only in the “Allowed Blocked Overrides” variation. The Administrative Override sets a specified time frame that is always used for that override. The available options from the drop down menu are:
  • ConstanUsing this setting will mean that what ever is set as the duration will be the length of time that the override will be in effect. If the Duration variable is set to 15 minutes the length of the override will always be 15 minutes. The option will be visible in the Override message page but the setting will be greyed out.
  • AsUsing this setting will give the person the option of setting the duration to the override when it is engaged. The duration time which is greyed out if the Constant setting is used will be dark and editable. The user can set the duration in terms of Day, Hours and or Minutes.
  • DuratioDuration is on of the areas where the two variations takes a different approach, on two aspects of the setting. As already indicated the “Administrative Override” only uses a static time frame there is no option for the user to select on the fly how long it will last. The other way in which the two variation differ is that the “Allow Blocked Overrides” starts the clock when the user logs in with his credentials. For example, if the duration is 1 hour and John initiates an override at 2:00 p.m. on January 1, at the end of that hour he will revert back to using the original profile but he can go back and re-authenticate and and start the process over again. The Administrative override variation starts the clock from when the override was configured, which is why is shows an expiration date and time when your are configuring it.

This option, which is available when the Duration Mode is set to Constant is the time in minutes that the override will last when engaged by the user.

When setting up a constant duration in the Web Based Interface, minutes is the only option for units of time. To set a longer time frame or to use the units of hours or days you can use the CLI.

config webfilter profile

edit <name of webfilter profile>

config override

set ovrd-dur <###d##h##m>

end

 

When configuring the duration you don’t have to set a value for a unit you are not using. If you are not using days or hours you can use:

set ovrd-dur 30m

instead of:

set ovrd-dur 0d0h30m

However, each of the units of time variable has their own maximum level:

###d cannot be more than 364

##h cannot be more than 23

##m cannot be more than 59

So the maximum length that the override duration can be set to is 364 days, 23 hours, and 59 minutes(a minute shy of 1 year) .

 

Using cookies to authenticate users in a Web Filter override

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.

 

CLI Syntax:

config webfilter cookie-ovrd set redir-host <name or IP> set redir-port <port>

end

config webfilter profile edit <name>

config override

set ovrd-cookie [allow | deny]

set ovrd-scope [user | user-group | ip | ask]

set profile-type [list | radius] set ovrd-dur-mode [constant | ask] set ovrd-dur <duration>

set ovrd-user-group <name>

set profile <name>

end end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!