Blocking Facebook

In this example, you will learn how to configure a FortiGate to prevent access to a specific social networking website, including its subdomains, by means of a static URL filter.

When you allow access to a particular type of content, such as the FortiGuard Social Networking category, there may still be certain websites in that category that you wish to prohibit. By using SSL inspection, you ensure that this website is also blocked when accessed through HTTPS protocol.

1. Verifying FortiGuard Services subscription

Go to System > Dashboard > Status.In the License Information widget, verify that you have an active subscription to FortiGuard Web Filtering. If you have a subscription, the service will have a green checkmark beside it.

2. Editing the Web Filter profile

Go to Security Profiles > Web Filter and edit the default Web Filter profile.

Set Inspection Mode to Proxy.

Enable the FortiGuard Categories that allow, block, monitor, warn or authenticate websites, depending on the type of content.
Under FortiGuard Categories, go to General Interest – Personal. Right-click on the Social Networking subcategory and ensure it is set to Allow .
To prohibit visiting one particular social networking site in that category, go to Static URL filter, select Enable URL Filter, and then click Create New
For your new web filter, enter the URL of the website you are attempting to block. If you want to block all of the subdomains for that website, omit the protocol in the URL and enter an asterisk (*). For this example, enter:*facebook.com

Set Type to Wildcard, set Action to block, and set Status to Enable.

 

3. Creating a security policy

Go to Policy & Objects > Policy > IPv4, and click Create New.

Set the Incoming Interface to allow packets from your internal network and set the Outgoing Interface to proceed to the Internet-facing interface (typically wan1).

Enable NAT.

Under Security Profiles, enable Web Filter and select the default web filter.
This automatically enables SSL/SSH Inspection. Select certificate-inspection from the dropdown menu. This profile allows the FortiGate to inspect and apply web filtering to HTTPS traffic.
After you have created your new policy, ensure that it is at the top of the policy list. To move your policy up or down, click and drag the far left column of the policy.

4. Results

Visit the following sites to verify that your web filter is blocking websites ending in facebook.com:

A FortiGuard Web Page Blocked! page should appear.

Visit https://www.facebook.com to verify that HTTPS protocol is blocked.

A Web Page Blocked! page should appear.

For further reading, check out Static URL Filter in the FortiOS 5.2 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Learn more about FortiGuard Categories at the FortiGuard Center web filtering rating page: www.fortiguard.com/static/webfiltering.html

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Matt

    This works, but then it gives certificate errors on every secure website you try and access

    • Victoria Martin

      Are you using the certificate-inspection SSL profile or deep-inspection?

  • Vinnie Schiappa

    I agree with what Matt says. I am not using deep-inspection

  • Chrisna Sri Haryono

    I had been following the step by step but NOT SUCCEED

    • Victoria Martin

      Hello Chrisna,

      I tested the recipe today and was able to successfully block Facebook, although I did get a certificate error for HTTPS sites, suggesting that browser behaviour may have changed since the certificate-inspection profile was created (I tested using Firefox). If this is the problem you are having, please check out the recipe How to prevent certificate warnings (http://cookbook.fortinet.com/preventing-certificate-warnings/).

      If this isn’t the problem, I would suggest contacting Support.