Fortigate Web-content Overide

Use Case: You have web content profiles set up and a help desk that is fielding calls from unhappy users because they cannot get to “legitimate” sites (A.K.A. Porn, Social Media, Movies,etc). You want to give the help desk the ability to bypass the web-content filter temporarily.

In Fortigate, you can set up an override configuration that will allow the help desk personnel to log into the users computer remotely or at the user’s desk, log in and bypass the profile. The firewall must be in “Proxy” mode. You can check this by going to Systems, Settings and towards the bottom of the page, you will see the ‘Inspection Mode’.

Once you are in ‘Proxy’ mode, you need to configure the Web Content Profile. In the Web Filter profile, you will need to:

1. Enable ‘Allow users to override blocked categories’
2. Assign a group that can override the profile.
3. The profile that the users CAN get (you may not want to allow everything like the malicious traffic)
4. Who the switch will apply to, User, User Group, and IP or Ask.
5. Defines how long that user will be allowed to use the overriden profile.

Obviously, you need to have a policy with a Web Filter Profile associated with it. When the user reaches the redirection page, you will have an override button on the left side. By clicking on it, you will be redirected to the override page.

As you can see in the above screenshot, had I given them the option to make certain choices like what other profile or how long they can use the temp profile for, these options would not have been grayed out.

Issues you may encounter. By default, the override page seen above uses the Fortinet default certificate. You may need to change it to reflect the proper certificate you want to use (e.g. SubCA Certificate which you can see on my previous blog post).

config user setting
set auth-ca-cert %Name-of-SubCA%
end

Where %Name-of-SubCA% is the name of the certificate.

Hope this helps.