You can use the following profile override methods:
- Administrative override
- Allow users to override blocked categories
Administrators can grant temporary access to sites that are otherwise blocked by a web filter profile. You can grant temporary access to a user, user group, or source IP address. You can set the time limit by selecting a date and time. The default is 15 minutes.
When the administrative web profile override is enabled, a blocked access page or replacement message does not appear, and authentication is not required.
You can choose one of the following scope ranges:
- User: authentication for permission to override is based on whether or not the user is using a specific user account.
- User group: authentication for permission to override is based on whether or not the user account supplied as a credential is a member of the specified user group.
- Source IP: authentication for permission to override is based on the IP address of the computer that was used to authenticate. This would be used for computers that have multiple users. For example, if a user logs on to the computer, engages the override by using their credentials, and then logs off, anyone who logs on with an account on that computer would be using the alternate override web filter profile.
When you enter an IP address in the administrative override method, only individual IP addresses are allowed.
Using the IP scope does not require using an identity-based policy.
When using the administrative override method and IP scope, you might not see a warning message when you change from using the original web filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just appear in the browser.
This example describes how to override the webfilter profile with the webfilter_new profile.
- Go to Security Profiles > Web Profile Overrides and click Create New.
- Configure the administrative override:
- For Scope Range, click Source IP.
- In the Source IP field, enter the IP address for the client computer (
10.1.100.11in this example).
- In the Original profile dropdown, select webfilter.
- In the New profile dropdown, select webfilter_new.
In the Expires field, the default 15 minutes appears, which is the desired duration for this example.
- Click OK.
config webfilter override
set status enable
set scope ip
set old-profile "webfilter"
set new-profile "webfilter_new"
set expires 2020/08/12 12:00:00
set initiator "admin"
set ip 10.1.100.11
For both override methods, the scope ranges (for specified users, user groups, or IP addresses) allow sites blocked by web filtering profiles to be overridden for a specified length of time.
But there is a difference between the override methods when the users or user group scope ranges are selected. In both cases, you would need to apply the user or user group as source in the firewall policy. With administrative override, if you do not apply the source in the firewall policy, the traffic will not match the override and will be blocked by the original profile. With Allow users to override blocked categories, the traffic will also be blocked, but instead of displaying a blocking page, the following message appears:
When you choose the user group scope, once one user overrides, it will affect the other users in the group when they attempt to override. For example, user1 and user2 both belong to the local_user group. Once user1 successfully overrides, this will generate an override entry for the local_user group instead of one specific user. This means that if user2 logs in from another PC, they can override transparently.
Besides the scope, there are some other features in Allow users to override blocked categories.
Individual users can not be selected. You can select one or more of the user groups recognized by the FortiGate. They can be local to the system or from a third party authentication device, such as an AD server through FSSO.
Administrative override sets a specified time frame that is always used for that override. The available options in Allow users to override blocked categories are:
- Predefined: the value entered is the set duration (length of time in days, hours, or minutes) that the override will be in effect. If the duration variable is set to 15 minutes, the length of the override will always be 15 minutes. The option will be visible in the override message page, but the setting will be grayed out.
- Ask: the user has the option to set the override duration once it is engaged. The user can set the duration in terms of days, hours, or minutes.
This example describes how to allow users in the local_group to override the webfilter_new profile.
- Go to Security Profiles > Web Filter and click Create New.
- Enter a name for the profile.
- Enable Allow users to override blocked categories.
- Configure the web filter profile:
- Click the Groups that can override field, and select a group (local_group in this example).
- Click the Profile Name field, and select the webfilter_new profile.
- For the Switch applies to field, click IP.
- For the Switch Duration field, click Predefined. The default 15 minutes appears, which is the desired duration for this example.
- Configure the rest of the profile as needed.
- Click OK.
This option is only available in the Allow users to override blocked categories method. It configures the message page to have the user choose which scope they want to use. Normally on the message page, the scope options are grayed out and not editable. In the following example, the Scope is predefined with IP.
When the ask option is enabled (through the Switch applies to field in the GUI), the Scope dropdown is editable. Users can choose one of the following:
- User group
User and User Group are only available when there is a user group in the firewall policy. You must specify a user group as a source in the firewall policy so the scope includes User and User Group; otherwise, only the IP option will be available.