Overriding a web filter profile

In this example, one user is temporarily allowed to override a web filter profile to be able to access sites that would otherwise be blocked.

In this example, web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling web filtering and multiple profiles

Go to System > Config > Features and make sure that Web Filter is turned ON.

 

Select Show More and enable Multiple Security Profiles.

Apply the changes.

 

2. Creating a user group and two users

Go to User & Device > User > User Groups. Create a new group for users who can override web filtering (in the example, web-filter-override).  
Go to User & Device > User > User Definition and create two users (in the example, ckent and bwayne).

  

 

   
 Assign ckent to the web-filter-override group, but not bwayne.  

3. Creating a web filter profile and override

Go to Security Profiles > Web Filter and create a new profile (in the example, block-bandwidth-consuming).

Enable FortiGuard Categories, then right-click Bandwidth Consuming and select Block.

 

Go to Security Profiles > Advanced > Web Profile Overrides and create a new override.

Set Scope Range to User GroupUser Group to the web-filter-override group, Original Profile to the block-bandwidth-consuming profile, and New Profile to the default profile.

Set an appropriate Expires time to control how long the override can be used (in the example, 100 hours after the override is created).

 

4. Adding the new web filter profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Set Source User(s) to allow both the web-filter-override group and user bwayne.

Under Security Profiles, turn on Web Filter and use the new profile.

 

5. Results

Browse to blip.tv, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.

 

Go to User & Device > Monitor > Firewall and De-authenticate bwayne.

Browse to blip.tv again, this time authenticating using the ckent account. You can access the website until the override expires.

For further reading, check out Web Filter in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Stoick

    Is there a way to add a bunch of domains using some type of script in the cli of the FortiGate or FortiManager?

  • James Brooks

    Forti 5.4.0 does not show Source IP as an option rather than User or User Group. Do you know how to specify a web filter policy in 5.4 by Source IP address?

    • Victoria Martin

      Hello James,

      In 5.4, when you select Source, a menu appears on the right of the GUI. The first option in this menu is Address, at which point you can select the appropriate Source IP from your existing Firewall Addresses.

      • James Brooks

        Maybe it is not available on all devices? I have FortiWiFi 60D and with 5.4 reset to factory defaults. In the Web Filter menu there is no “Source IP”. All I get is “Groups that can override”. Even if I click the “IP” under “Switch applies to” there is no place to put the IP. It will not save unless you give it a User Group.

        • James Brooks

          Well I feel silly. I’m not sure what “IP” is on this screen but if I go to the “Web Profile Overrides” menu then I can put the source IP on that screen. Sorry about that.

          • Victoria Martin

            Hi James,

            No worries! 5.4 added a lot of new features and, of course, a whole new look and feel for the GUI, that can take a bit of getting used to. We’ll hopefully have this recipe updated to 5.4 soon, which might make it a bit easier for future people to use.

  • M Lee

    I followed the steps above, but when I try to access a site through override, I get this message: “If you have been granted override creation privileges by your administrator, you can enter your username and password here to gain immediate access to the blocked web-page. If you do not have these privileges, please contact your administrator to gain access to the web-page.”

    • Victoria Martin

      Hello,

      Would you be able to post a screenshot of your web filter profile and the firewall policy here? Or email them to techdocs@fortinet.com? That way we can take a look at your setup and hopefully see where the problem is.

  • Stephen McGuire

    Can I just add the new user group to an existing web filter IPv4 rule in source? FG800C with 5.4.0GA

    Seems like the tutorial is assuming a new web filtering setup, I have this already in place and want to just add the feature for a select few LDAP users.

    -Stephen

    • Victoria Martin

      Hi Stephen,

      Yes, you can do this.