Using cookies to authenticate users in a Web Filter override
Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.
CLI syntax:
config webfilter cookie-ovrd set redir-host <name or IP> set redir-port <port>
end
config webfilter profile edit <name> config override set ovrd-cookie [allow | deny] set ovrd-scope [user | user-group | ip | ask]
set profile-type [list | radius] set ovrd-dur-mode [constant | ask] set ovrd-dur <duration> set ovrd-user-group <name> set profile <name>
end
end
end
External dynamic block lists
This feature introduces the ability to import (dynamically) an external block list in the form of a text file (containing a list of either addresses or domains), which resides on an HTTP server. You can use this block list to deny access to a source or destination IP address in Web Filter and DNS Filter profiles, SSL inspection exemptions, and as a Source/Destination in proxy policies. The block list is stored as an external resource, which is dynamically imported to the FortiGate at a configured interval (or refresh-rate) in order to maintain an updated list.
Using cookies to authenticate users in a Web Filter override
In each profile, the administrator can configure multiple external block lists.
The external dynamic URL block lists can be configured under System > External Resources.
The External Resources edit page provides the following fields: l Type
- FortiGuard Category – The resource Name will appear as a “Remote Category” in Web Filter profiles and SSL inspection exemptions.
- Firewall IP Address – The resource Name will appear as an “External Domain Block List” in DNS Filter profiles and as a “Source/Destination” in proxy policies.
- Domain Name – The resource Name will appear as an “External Domain Block List” in DNS Filter profiles.
- URI of external resource – The link to an external resource file. The file should be a plain text file with one domain each line and supports simple wildcard.
- Refresh Rate – The time interval to refresh external resource (1 – 43200 minutes). l The size of the file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.
The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:
mail.*.or.th *-special.de.vu http://www.*de.vu 610-pawn.com
aaliyah-hq-gallery.de.vu abcgolocal.com
The address resource is a text file which contains an IP/IP range for each line (note that only IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored). For example:
1.1.1.1
10.0.0.70
2.1.1.1
100.0.0.1-100.0.0.100
10.0.0.99-10.0.0.201
1.2.2.2/24
Syntax
config system external-resource edit <name> set type {category | address | domain}
set category <value> set comments [comments] set resource <resource-url> set refresh-rate <minutes> set last-update <datetime>
next
end
You can also configure one or more external domain block lists under config dnsfilter profile. See “DNS filter ” on page 120for more information.
config system global
set gui-webfilter-advanced enable doesn´t exist on a FG-501E running 6.0.3?
Any easy way to export web filtering from one Gate and import it to another?
Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!