Blocking Facebook with Web Filtering

Visual Representation of Blocking Facebook Recipe

This recipe explains how to use a static URL filter to block access to Facebook and its subdomains.

By using SSL inspection, you ensure that Facebook and its subdomains are also blocked when accessed through HTTPS.

 

Watch the video

 

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling Web Filtering

Go to System > Feature Select to enable the Web Filter feature.

Enable Web filter feature

2. Editing the default Web Filter profile

Go to Security Profiles > Web Filter and edit the default Web Filter profile.

To block Facebook, go to Static URL filter, select URL Filter, and then click Create.

Static URL Filter Enabled

Set URL to *facebook.com. Set Type to Wildcard, set Action to Block, and set Status to Enable.

Facebook Wildcard Filter

3. Creating the Web filtering security policy

Go to Policy & Objects > IPv4 Policy, and click Create New. Give the policy a name that identifies its use.

Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface.

Enable NAT.

Set Interface IPv4 Policy
Under Security Profiles, enable Web Filter and select the default web filter profile. Enable Web Filter
Enable SSL/SSH Inspection and select certificate-inspection from the dropdown menu. This allows the FortiGate to inspect and apply web filtering to HTTPS traffic. Enable SSL/SSH Inspection

The new policy has to be first on the list in order to be applied to Internet traffic. Confirm this by viewing policies By Sequence.

To move a policy up or down, click and drag the far-left column of the policy.

Move IPv4 policy to top of list

4. Results

Visit facebook.com

HTTPS is automatically applied to facebook.com, even if it is not entered in the address bar. A FortiGuard Web Page Blocked! message appears.

Results for blocking https:facebook.com

Visit a subdomain of Facebook, for example, attachments.facebook.com.

A FortiGuard Web Page Blocked! message appears, blocking the subdomain.

Results for blocking subdomain of Facebook

For further reading, check out Static URL Filter in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Victoria Martin

    Hi Anthony,

    Certificate inspection is not meant to be generating an SSL error, since when it is used, the FortiGate only inspects the header information of the packets. I would suggest making sure that traffic is going through the correct policy. If it is, then you may want to contact Fortinet Support. For information about working with support, that you can find at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

  • Judith Haney

    Hello Lasse,
    We suspect that your issue has to do with how Chrome handles certificates. I would suggest making sure that traffic is going through the correct policy. If it isgoing through the correct policy, see if this recipe works with another browser. If it works with another browser, you will have to get a certificate for Chrome. For that, you may want to contact Fortinet Support. You can find nformation about working with support at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

  • Kamlesh Galande

    Hi

    Is it possible to block only Video ,Chat and any post in FB .

    I am using FortiGate 200D where ,we need to allow to access FB but deny Video ,Chat and any post in FB .

  • joko Purnomo

    HI,

    is it posible to block Per Group Users ? im using FG 100 d

    Thanks

    • Victoria Martin

      Hi joko,

      Yes, this is possible. You will need to create more than one firewall policy in order to apply different web filters to different groups: for example, group A has a policy that uses web filtering to block Facebook, while the firewall policy for group B allows Facebook access.