Overriding a web filter profile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, one user is temporarily allowed to override a web filter profile in order to access sites that would otherwise be blocked. Web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

This recipe only works for FortiGates operating in proxy-based inspection mode.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling web filtering and multiple profiles

Go to System > Feature Select to enable Web Filter and Multiple Security Profiles.

Apply changes if necessary.

2. Creating a user group and two users

Go to User & Device > User Groups. Create a new group for users who can override web filtering (in this example, web-filter-override).  
Go to User & Device > User Definition to create two users (in this example, ckent and bwayne).

 

 

 
Assign ckent to the web-filter-override group, but not bwayne.

3. Creating a web filter profile and an override

Go to Security Profiles > Web Filter to create a new profile (block-bandwidth-consuming).

Enable FortiGuard category based filter, then right-click Bandwidth Consuming and select Block.

Enable Allow users to override blocked categories.

Set Groups that can override to web-filter-overrideProfile can switch to defaultSwitch applies to User Group, and Switch Duration to Ask.

4. Adding the new web filter profile to a security policy

Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet.

Set Source all, bwayne, and web-filter-override.

Under Security Profiles, enable Web Filter and select the block-bandwidth-consuming profile.

5. Results

Browse to youtube.com, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.

Go to Monitor > Firewall User Monitor and De-authenticate bwayne.

Browse to youtube.com again, this time authenticating the ckent account. You can access the website until the override expires.

For further reading, check out the Web Filter chapter in the FortiOS 5.4 Handbook.

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

  • Was this helpful?
  • Yes   No