The Security Profile – Web Filter
FortiOS has a neat section for all the Security Profiles; this GUI is straightforward and intuitive. So let’s see what we have by default.
Looking to catch up up the FortiGate Series? – Make sure you check the Main Page for it –> FortiGate – Configuration Series.
From the screenshot, we can clearly see what these profiles are being used for. This time, I will make sure to copy the Default one instead of creating a new Profile. You can do this by right-clicking on the default profile, then select Clone. This will open a new section to adjust the name or accept the default Fortinet created for you, which reads: “Clone of Default.”
After changing the name, you want to ensure a new comment is created describing your profile.
Next, you will select the Feature Set, Flow-Based or Proxy-Based
This time I will be using Proxy-Based as the Feature Set. Although my requirements only talk about blocking all access to social media, know that there are a lot of features that you can use with a Web Filter Profile.
** This is right out of the Profile Configuration *** The items marked with a RED P, are only available if you are using Proxy-Based Mode.
Under the FortiGuard Category Section, let’s find all Social Media.
This may be all we have to do for now; after you look at other settings, please save this Profile. But our work is not complete yet, as we need to assign this profile to a Firewall Policy.
Before that, I will make sure I can log in to social media from my Windows Machine to make sure we are all good!
So far, I think I’m in a good place, as I still have access to Social Media.
Applying Security Profile
As mentioned before, this profile needs to be applied to our Firewall Policy. We need to locate the policy that matches our traffic and apply the Web Filter profile. Our lab is super simple; we only have 1 Firewall policy. If you look at the Column called Security Profile, we are not running any inspection. And we have no other Security Profiles assigned to it.
Open your Firewall Policy, go down to the Security Profiles Section. Select the Web Filter Policy and choose the Web Filter you created.
Note that when this Web Filter is selected, there will be a warning next to SSL Inspection. It basically says that this profile should not be selected with any other UTM Security Profiles/Features, as our config may not apply.
So I will select the less disruptive option, which is the certificate-inspection. This one is a read-only SSL Handshake profile.
Once we have all that configured, we are ready to test and troubleshoot!
So the policy is applied and “working,” however, when I go to the main Instagram page, it still allows me to see it – But I have not tried login yet. Let’s see if we get blocked, then.
Trying Login into Twitter – I get the following error – which is telling me that Fortinet is in the way and blocking me based on my actions.
Let’s see if something different in the Web Filter Report looks like it worked.
Although it worked, the page presented to me seems a bit creepy, and an end-user may feel the same; let’s see if there is a better way to block this access more politely.
Troubleshooting Response Page
After looking at a few things, I noticed that I had 2 things I needed to correct. The one Firewall Policy I had, was configured initially as Flow-Based, so I got a warning.
I modified my Policy to Proxy-Based, now the alert was gone! But I was still getting the same message. It was getting blocked, but there was no way to see a real good error that indicated that my company policy was blocking me. Looking closely, it’s a certificate Error. FortiGate is inspecting and changing the certificates of the Blocked pages + wanted to show me a blocked page that is only available as HTTPS
Adding the Fortinet CA Certificate to Windows 10
I need to add the CA Certificate of this FortiGate to the computer to see the Block messages. So I decided to download it. Here is where you go to download it
I needed to make sure it was in my trusted certificate store; here are some steps to do this.
Right-click the file and select Install
I decided to install it under the Local Machine Store – This is so other users that log into the computer can also see it.
Once you do that, you may want to select the Store you want to place it in; I did that as follows. Make sure it is under the Trusted Root CAs.
We are ready to test again!
NOTE: Before we go anywhere, the process is painful if you are dealing with multiple computers and applying these policies. Keep in mind that if you are dealing with Windows computers that are part of a Windows Domain, there are options. GPO is one of them, and it’s super simple to do. I decided to include a quick walkthrough from Microsoft itself –> Distribute Certificate to Client Computers by Using Group Policy.
This time we are successful!!
CHanging the message to something you choose it si easy – Fortinet added pre-configured Web Pages that you could find here:
If you know HTML, you can change this page and adjust the messages. I made a quick adjustment to the message – let’s see if it works.
What is next?
This quick Series of configuring a FortiGate was super fun to do! I will continue playing with the features and will add more posts.
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
Started working professionally in 2003, Andres is specialized in Unified Communications and Collaboration technologies | Enterprise Networks and Network Security. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations, including Cisco technologies, such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.