Skip to Content

How do I allow a specific website in FortiGate?

By: Author Natalie Reed

0 Comments
How do I allow a specific website in FortiGate?

If you want to allow access to a specific website in FortiGate, there are a few simple steps you need to take. In this article, we’ll walk through the process of creating a firewall policy rule that will allow a website of your choosing through the FortiGate firewall.

Why Would I Want to Allow a Specific Website?

There are a few common scenarios where you may want to allow a specific website through the FortiGate firewall:

  • Allowing access to an internal company website – If you host an internal website for your business, you’ll need to create a rule to allow external users to access it.
  • Allowing access to approved external websites – Your organization may want to restrict general web browsing, but allow access to certain approved sites. You can use website allow rules for this.
  • Allowing access to web applications – If your users need access to a specific web application (like Office 365), a website allow rule can grant access.

The key thing is that while FortiGate blocks all websites by default, you can selectively allow specific sites by creating firewall policies.

Prerequisites

Before we get started with the website allow process, there are a few prerequisites:

  • You’ll need to have administrator access to the FortiGate firewall.
  • You’ll need to know the URL or IP address of the website you want to allow.
  • You’ll need to decide which users/groups will be allowed access to the website.

As long as you have that information ready, you’ll be good to go.

Step 1 – Create an Address for the Website

The first step is to create a firewall address object that specifies the website you want to allow. Here’s how:

  1. Go to Policy & Objects > Addresses
  2. Click Create New to add a new address
  3. For the Name, enter something descriptive like “Allowed Website”
  4. For the Type, choose FQDN if you’re using a domain name, or choose IP Address/Range if you have the website’s IP.
  5. Enter the website’s FQDN or IP address in the required field.
  6. Click OK to create the address object.

This address object will represent the website traffic that you want to allow in the next steps.

Step 2 – Create the Firewall Policy Rule

Now that you have an address object for the website, you can create a firewall policy rule to allow it:

  1. Go to Policy & Objects > IPv4 Policy
  2. Click Create New to add a policy.
  3. For Incoming Interface, choose the interface that website traffic will come in on.
  4. For Source Address, choose all or the specific subnets that will access the website.
  5. For Outgoing Interface, choose the interface that connects to the internal network and servers.
  6. For Destination Address, select the address object you created for the website.
  7. For Service, choose HTTPS if it’s a secure site, or HTTP if not.
  8. For Action, select Accept.
  9. Enable NAT if the website is on the internet and you want to hide internal IP addresses.
  10. Click OK to create the policy.

That’s it! This firewall policy rule will now allow traffic to the specific website while still blocking everything else.

Step 3 – Place the Rule at the Top

One last important step is to move your website allow rule to the top of the policy list. This ensures that traffic is allowed by your policy before it gets blocked by the default deny rules at the bottom.

  1. Go to Policy & Objects > IPv4 Policy
  2. Find the rule you just created and use the arrows to move it to the top.

With that, your traffic to the allowed website will flow as expected!

Additional Tips

Here are some additional tips when working with website allow rules in FortiGate:

  • Use firewall groups and authentication rules to limit website access to specific users/groups.
  • Consider using SSL inspection to scan HTTPS traffic for threats.
  • Enable logging on the rule to keep track of access.
  • Tighten up the source IP ranges to limit access to only networks that require it.

Troubleshooting Website Access

If you’ve configured a website allow rule but still can’t access the site, here are some things you can check:

  • Make sure the website address object contains the correct FQDN or IP address.
  • Confirm that the client IP address matches what’s allowed in the source address field.
  • Check that you have the correct ports/services specified in the rule.
  • Verify there are no other firewall rules blocking access higher up in the policy list.
  • Check the FortiGate logs for any hints on why the traffic is getting blocked.

With a layer of troubleshooting, you should be able to get that website working through your FortiGate firewall.

Conclusion

Allowing access to specific websites in FortiGate is straightforward once you understand the steps. By creating an address object for the website and then allowing it in a firewall policy rule, you can selectively allow traffic while maintaining your overall security posture. Restrict website access to only what is business critical for your organization.

Related posts:

  1. What Are Facebook Shortcuts?
  2. Is Facebook Shortcut Random
  3. Are facebook shortcut public
  4. Why Are There Always Shortcuts of Friends Showing Up Facebook App