This recipe demonstrates how to set up a web filter security profile with a quota that dynamically limits the amount of time users on an internal network can access websites categorized as “General Interest.”
You can also apply quotas to specific users on your network by creating granular policies that apply different quotas to different user groups using specific firewall addresses or needing authentication.
See User and device authentication for information about creating user accounts.
Find this recipe for other FortiOS versions
5.2 | 5.4
1. Enabling web filtering |
|
Go to System > Feature Select and confirm that Web Filter is ON. If necessary, click Apply to make your changes. |
|
2. Creating a web filter profile that uses quotas |
|
Go to Security Profiles > Web Filter. Edit the default profile and enable FortiGuard category based filter.
Right-click on the category General Interest – Personal and select Monitor. Do the same for the category General Interest – Business.
These categories include a variety of sites that are commonly blocked in the workplace, such as games, instant messaging, and social media. For a complete description of each web filtering category, visit the FortiGuard Web Filtering page.
|
|
Under Category Usage Quota, select Create New.
Select both General Interest – Personal and General Interest – Business. For testing purposes, set the Quota to 5 Minutes.
|
|
The web filter now displays all the General Interest sub-categories and the applied quota. | |
3. Adding web filtering to a security policy |
|
Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet. Under Security Profiles, turn on Web Filter and use the default profile. Note: If you are applying quotas to specific users or devices, edit Source Address to apply the policy only to them. |
|
4. Results |
|
Browse to www.ebay.com, a website in the General Interest – Personal category.
Access to the website is allowed for 5 minutes, after which time a “web page blocked” message appears. The message appears each time users affected by the security policy try to access General Interest sites until the quota is reset (every 24 hours at midnight).
|
|
Go to FortiView > Threats and select the 5 minutes view. You can see the blocked traffic. |
For further reading, check out Blocking Social Media using FortiGuard Categories, Blocking Facebook with Web Filtering, and FortiGuard Web Filtering Service in the FortiOS 5.4 Handbook.
The post Web filtering using quotas appeared first on Fortinet Cookbook.