Blocking Facebook

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to configure a FortiGate to prevent access to a specific social networking website, including its subdomains, by means of a static URL filter.

When you allow access to a particular type of content, such as the FortiGuard Social Networking category, there may still be certain websites in that category that you wish to prohibit. By using SSL inspection, you ensure that this website is also blocked when accessed through HTTPS protocol.

1. Verifying FortiGuard Services subscription

Go to System > Dashboard > Status.In the License Information widget, verify that you have an active subscription to FortiGuard Web Filtering. If you have a subscription, the service will have a green checkmark beside it.

2. Editing the Web Filter profile

Go to Security Profiles > Web Filter and edit the default Web Filter profile.

Set Inspection Mode to Proxy.

Enable the FortiGuard Categories that allow, block, monitor, warn or authenticate websites, depending on the type of content.
Under FortiGuard Categories, go to General Interest – Personal. Right-click on the Social Networking subcategory and ensure it is set to Allow .
To prohibit visiting one particular social networking site in that category, go to Static URL filter, select Enable URL Filter, and then click Create New
For your new web filter, enter the URL of the website you are attempting to block. If you want to block all of the subdomains for that website, omit the protocol in the URL and enter an asterisk (*). For this example, enter:*facebook.com

Set Type to Wildcard, set Action to block, and set Status to Enable.

 

3. Creating a security policy

Go to Policy & Objects > Policy > IPv4, and click Create New.

Set the Incoming Interface to allow packets from your internal network and set the Outgoing Interface to proceed to the Internet-facing interface (typically wan1).

Enable NAT.

Under Security Profiles, enable Web Filter and select the default web filter.
This automatically enables SSL/SSH Inspection. Select certificate-inspection from the dropdown menu. This profile allows the FortiGate to inspect and apply web filtering to HTTPS traffic.
After you have created your new policy, ensure that it is at the top of the policy list. To move your policy up or down, click and drag the far left column of the policy.

4. Results

Visit the following sites to verify that your web filter is blocking websites ending in facebook.com:

A FortiGuard Web Page Blocked! page should appear.

Visit https://www.facebook.com to verify that HTTPS protocol is blocked.

A Web Page Blocked! page should appear.

For further reading, check out Static URL Filter in the FortiOS 5.2 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Learn more about FortiGuard Categories at the FortiGuard Center web filtering rating page: www.fortiguard.com/static/webfiltering.html
  • Stephen Sandifer

    You appear to be missing a step between 2.3 and 2.4. To see the screenshots you displayed you first have to place a check in the “Enable Web Site Filter” box. Then you’ll be able to add the URLs as suggested.

    We’re running v5.0 here, which might explain the differences.

    • Victoria Martin

      Hi Stephen,

      The Enable Web Site Filter option from FortiOS 5.2 was renamed Enable URL Filter in 5.4.

  • Nelinton Medeiros

    I’m trying to Allow Facebook’s Workplace maintaining facebook blocked (i’m using app control on fortiOS 5.2.4).
    Enabled Facebook_Workplace and Facebook_login, other facebook apps blocked. No Success…

    Am i doing the right way? Is there a recipe for it?

    • Victoria Martin

      Hello Nelinton,

      We do not have a recipe for this configuration at the moment by I have added it to our list. For now, I would suggest contacting Fortinet Support for help with your configuration.

  • Chrisna Sri Haryono

    I had been following the step by step but NOT SUCCEED

    • Victoria Martin

      Hello Chrisna,

      I tested the recipe today and was able to successfully block Facebook, although I did get a certificate error for HTTPS sites, suggesting that browser behaviour may have changed since the certificate-inspection profile was created (I tested using Firefox). If this is the problem you are having, please check out the recipe How to prevent certificate warnings (http://cookbook.fortinet.com/preventing-certificate-warnings/).

      If this isn’t the problem, I would suggest contacting Support.

  • Vinnie Schiappa

    I agree with what Matt says. I am not using deep-inspection

  • Matt

    This works, but then it gives certificate errors on every secure website you try and access

    • Victoria Martin

      Are you using the certificate-inspection SSL profile or deep-inspection?

      • shahnawaz

        hi every one i blocked the facebook and all computer but its not blocking Facebook on android phone and iPhone….please can suggestion….

        • Victoria Martin

          Because mobile devices access Facebook through an application rather than a web browser, you will need to use application control to block Facebook on these devices. We don’t have a recipe specifically blocking Facebook but this one outlines how to use application control: http://cookbook.fortinet.com/blocking-p2p-traffic-youtube-applications/