Overriding a web filter profile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, one user is temporarily allowed to override a web filter profile in order to access sites that would otherwise be blocked. Web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

This recipe only works for FortiGates operating in proxy-based inspection mode.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling web filtering and multiple profiles

Go to System > Feature Select to enable Web Filter and Multiple Security Profiles.

Apply changes if necessary.

2. Creating a user group and two users

Go to User & Device > User Groups. Create a new group for users who can override web filtering (in this example, web-filter-override).  
Go to User & Device > User Definition to create two users (in this example, ckent and bwayne).

 

 

 
Assign ckent to the web-filter-override group, but not bwayne.

3. Creating a web filter profile and an override

Go to Security Profiles > Web Filter to create a new profile (block-bandwidth-consuming).

Enable FortiGuard category based filter, then right-click Bandwidth Consuming and select Block.

Enable Allow users to override blocked categories.

Set Groups that can override to web-filter-overrideProfile can switch to defaultSwitch applies to User Group, and Switch Duration to Ask.

4. Adding the new web filter profile to a security policy

Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet.

Set Source all, bwayne, and web-filter-override.

Under Security Profiles, enable Web Filter and select the block-bandwidth-consuming profile.

5. Results

Browse to youtube.com, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.

Go to Monitor > Firewall User Monitor and De-authenticate bwayne.

Browse to youtube.com again, this time authenticating the ckent account. You can access the website until the override expires.

For further reading, check out the Web Filter chapter in the FortiOS 5.4 Handbook.

Cindy Chung

Cindy Chung

Technical Writer at Fortinet
Cindy Chung

Latest posts by Cindy Chung (see all)

  • Was this helpful?
  • Yes   No
  • Tebogo Sikwane

    https://uploads.disquscdn.com/images/ab89066bc343a00acdb91373ae0c0eb61138a087310ceda0900dbf7306540a33.png
    Good day.
    I tried following the instruction above but could not get the “Allow users to override blocked categories”. I want to override the web-filter for a specific group of users.
    I am using Fortigate 80E version 5.4.4.

    Regards,
    Tebogo

    • Judith Haney

      Hello Tebogo,
      Are you operating in flow-based inspection? If so, that is the reason you are not seeing the option to “Allow users to override blocked categories” in the GUI. This option only appears in the GUI when the FGT is set to proxy-based inspection. The recipe will be corrected thanks to your message.

      If you have configured your user group, you can still override the web filter profile by using the CLI. See page 826 of the FortiOS CLI Reference for 5.4 https://docs.fortinet.com/uploaded/files/3679/fortigate-cli-ref-54.pdf
      br, Judith

      • Tebogo Sikwane

        Good day Judith.

        Thank you for your response.
        Yes, I am operating on flow-based inspection.
        Please excuse my ignorance as I am still new to fortigate. I have checked the attached document but could not find page 826. The document ends on page 459.
        Could you please guide on on how to “Allow users to override blocked categories” with my current configuration.
        Is proxi-based inspection better or preferable?
        You help is highly appreciated.
        Regards,
        Tebogo.

  • Abdulaziz Alatar

    Hello Judith,
    1- I want ask you, if i need Fortiguard subscription for webfilter override profile with authentication group.
    2- How can use switch applies to ip whith this case ?
    Thanks you

    • Judith Haney

      Hello Abdulaziz, Thank you for the message. You do need an active FortiGuard subscription to use the webfilter profile as demonstrated in this recipe. Regarding your second question, can you provide more detail?
      regards,

      • Abdulaziz Alatar

        Thank you very much.and i’m sorry for the delay in reply.
        In this recipe you enable webfilter override with user group . how can enable webfilter override with iP ?
        Only put ip in policy ??