Advanced options
There are a few Advanced options to consider for a web filtering profile:
- Enable Provide details for blocked HTTP 4xx and 5xx errors. Under normal circumstances there are exploits that can be used with 400 and 500 series messages to access the web site. While most students probably won’t know how to do this, there is no harm in being cautious. It only takes one.
- Enable Rate Images by URL. This option only works with Google images. It examines the URL that the images is stored at to get a rating on it, then blocks or allows the image based on the rating of the originating URL. It does not inspect the image contents. Most image search engines to a prefect and pass the images directly to the browser.
- Enable Block HTTP redirects by rating. An HTTP redirect is one method of getting around ratings. Go to one web site that has an allowed rating, and it redirects to another web site that may want blocked.
Categories and Classifications
For the selection of what FortiGuard categories and classifications that should be blocked, that is purely based on the school system and its Internet information policy.
Email Filtering
Other than specific teacher-led email inboxes, there is no reason why a student should be able to access, read or send personal email. Ports for POP3, SMTP and IMAP should not be opened in a security policies.
IPS
The intrusion protection profiles should be used to ensure the student PCs are not vulnerable to attacks, nor do you want students making attacks. As well, IPS can do more than simple vulnerability scans. With a FortiGuard subscription, IPS signatures are pushed to the FortiGate unit. New signatures are released constantly for various intrusions as they are discovered.
FortiOS includes a number of predefined IPS sensors that you can enable by default. Selecting the all_default signature is a good place to start as it includes the major signatures.
To configure IPS sensors in the web-based manager, go to Security Profiles > Intrusion Protection, on the CLI use commands under config ips sensor.
Application control
Application control uses IPS signatures to limit the use of instant messaging and peer-to-peer applications which can lead to possible infections on a student’s PC. FortiOS includes a number of pre-defined application categories. To configure and maintain application control profiles in the web-based manager, go to Security Profiles > Application Control. In the CLI use commands under config application list.
Some applications to consider include proxies, botnets, toolbars and P2P applications.
Logging
Turn on all logging – every option in this section should be enabled. This is not where you decide what you are going to log. It is simply defining what the UTM profiles can log.
Logging everything is a way to monitor traffic on the network, see what student’s are utilizing the most, and locate any potential holes in your security plan. As well, keeping this information may help to prove negligence later in necessary.