Well, I think I already said that I'm going to try to bring curious posts, that can contribute something to the organization, Today it was a bit of a topic that usually comes up on occasion. As it is taken for granted that we have the navigation controlled with our Fortigate, where we will have our rules with different accesses… Well, today we will see how to allow certain users to navigate under their responsibility in areas that we alert them as dangerous…

Let's see how I explain myself…. assuming your organization has a Fortigate firewall, and that you use web filtering, Well, to allow if you can access different websites, Is it too much to suppose? Assuming so,, and that your users navigate safely to websites you can control, thank you as we know UTM Web Filter. But there are many who don't know that exceptions can be enabled, for example if we have the category of I who know, of 'Social Networking', What is Twitter?, Facebook… for to indicate in that (or others) categories that require authentication to enter, This way the user will be aware that he is entering a website perhaps not for corporate use… Asking for your credentials and after authenticating, (If you have permission), You will be able to access this website.

If you have a Fortigate and you don't use web filtering, you have no forgiveness 😉 since it is perhaps one of the minimum and easiest tasks to have in your organization. You need to know where your users and your servers are browsing, You must deny certain categories, what to say about SSL introspection and being able to examine the content of your browsing, Stop viruses, Coconuts…

Embers on the side, in your web filtering rule, in web filtering based on Fortiguard categories, which are all navigation categories categorized by Fortinet, there access to different websites is usually allowed or blocked, as well as monitor them for log collection. A very interesting option is that of 'Authenticate', If we select the categories that interest us, we can put them in that type of action, Thus, when a site of this category is accessed, it will ask the user to authenticate themselves to proceed.

After indicating to the category that we want its action to be 'Authenticate', It will ask us to indicate the users who would have access, A group of local firewall users, or the active directory group that contains the users who can access… As well as the duration of the session, To try to put 1 minute and then in production you can put a higher time. “OK”

We see how for example the category of 'Web-based Email’ will ask for authentication from users who apply this Web profile to them, so if a user wants to log into Gmail or Office 365, Hotmail or whatever these things are called, You won't be able to access if your user doesn't have permission. We are going to see it,

We check that the Internet egress rule has the Web Filter security profile applied to it that we just edited, and remember that the rule would require SSL inspection, Everything is fine around here,

Something very important is, that in the(s) rule(s) that we are going to apply this Web Filtering profile we have to have proxy mode enabled. To do this,, If you look at the image above, (in the Internet exit rule) I have the 'Inspection Mode'’ in 'proxy-based', if you don't get this option in GUI, You must enable it with the following command, indicating the ID of the rule in which you want to enable proxy mode, you make an F5 and that option would come out in the FW rule.

config firewall policy edit XXX set inspection-mode proxy end

If we've done everything right, The user will navigate perfectly, For almost all the internet, but when you access a, (In this case) categorized as 'Web-based Email', that is, was logging into the Hotmail account, Office 365… whatever that is called… because he would not be able to access the website. Of course,, We have just given him the possibility that he can give “Proceed” to continue…

And they cross out!!! It will ask you for credentials, and if your user is in the previous group that we have defined, as you will be able to access the website, which in this case is a webmail manager called Ofis 365 🙂

And that's it, We're done! But I wanted to tell you about another very related thing that you may also be interested in, and it is that in the Web Filtering profile we have the possibility to check 'Allow users to override blocked categories', and this as indicated, Allows (if we want) that certain users in the group we indicate can access websites categorized as Blocked. This way it will not be a prohibition of access that they cannot enter, but it will alert them to what they intend, of the place they are going to enter, And if they put their credentials in, will access at your own risk.

In this example I have checked the category 'Web-based Email’ as Blocked, Unable to access the Outlook web again. But by checking the previous check we discussed, We have an option where now, by clicking on “Override” will allow the user to access the website after validation.

So the user could indicate their credentials, and you could choose the browsing profile that we have made available to you, understanding that it is more lax. And what I said, If you have permissions because you belong to the group we have specified, you will finally be able to access your website, to check your emails or whatever you want.

Well, What… That's it... That's it... This is all friends! 😉 simply encourage you to use all the technology that is at your disposal to have a better life, that if you have Fortigate you squeeze them, that if you have an air fryer you throw it out of the window… and so everything 🙂 I send you a hug, See you another day, ¿No? Best regards!