FortiOS 6 – Web Filtering

Websense web filtering through WISP

WISP is a Websense protocol that allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a FortiGate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Configuring the WISP server

In order to use WebSense’s web filtering service, a WISP server per VDOM must be defined and enabled first.

config web-proxy wisp edit {name}

# Configure Wireless Internet service provider (WISP) servers.

set name {string} Server name. size[35] set comment {string} Comment. size[255] set outgoing-ip {ipv4 address any} WISP outgoing IP address. set server-ip {ipv4 address any} WISP server IP address.

set server-port {integer} WISP server port (1 – 65535, default = 15868). range[1-65535] set max-connections {integer} Maximum number of web proxy WISP connections (4 – 4096, default =

64). range[4-4096] set timeout {integer} Period of time before WISP requests time out (1 – 15 sec, default = 5). range

[1-15] next

end

Example configuration

config web-proxy wisp edit 0 set outgoing-ip 0.0.0.0 set server-ip 0.0.0.0 set server-port 15868 set max-connections 64 set timeout 5

next

end

After configuring the WISP server, enable WISP in the web filter profile.

config webfilter profile edit “wisp_only” set wisp enable set wisp-servers 0

next

end

Now you can apply the web filter profile to a firewall policy.

If you configure more than one WISP server, the load balance option can also be configured.

config webfilter profile edit “wisp_only” set wisp-algorithm {primary-secondary | round-robin | auto-learning}

next

end

The options for the wisp-algorithm are:

l primary-secondary: select the first healthy server in order l round-robin: select the next healthy server l auto-learning select the lightest loading healthy server

 

3 thoughts on “FortiOS 6 – Web Filtering

    1. Mike Post author

      Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.