Fortinet black logo

Administration Guide

Web profile override

Web profile override

The following profile override methods are available:

  • Administrative override
  • Allow users to override blocked categories

Administrative override

Administrators can grant temporary access to sites that are otherwise blocked by a web filter profile. You can grant temporary access to a user, user group, or source IP address. You can set the time limit by selecting a date and time. The default is 15 minutes.

When the administrative web profile override is enabled, a blocked access page or replacement message does not appear, and authentication is not required.

Scope range

You can choose one of the following scope ranges:

  • User: authentication for permission to override is based on whether or not the user is using a specific user account.
  • User group: authentication for permission to override is based on whether or not the user account supplied as a credential is a member of the specified user group.
  • Source IP: authentication for permission to override is based on the IP address of the computer that was used to authenticate. This would be used for computers that have multiple users. For example, if a user logs on to the computer, engages the override by using their credentials, and then logs off, anyone who logs on with an account on that computer would be using the alternate override web filter profile.
    Note

    When you enter an IP address in the administrative override method, only individual IP addresses are allowed.

Differences between IP and identity-based scope

Using the IP scope does not require using an identity-based policy.

When using the administrative override method and IP scope, you might not see a warning message when you change from using the original web filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just appear in the browser.

Configuring a web profile administrative override

This example describes how to override the webfilter profile with the webfilter_new profile.

To configure web profile administrative override using the GUI:
  1. Go to Security Profiles > Web Profile Overrides and click Create New.
  2. Configure the administrative override:
    1. For Scope Range, click Source IP.
    2. In the Source IP field, enter the IP address for the client computer (10.1.100.11 in this example).
    3. In the Original profile dropdown, select webfilter.
    4. In the New profile dropdown, select webfilter_new.

      In the Expires field, the default 15 minutes appears, which is the desired duration for this example.

  3. Click OK.
To configure web profile administrative override using the CLI:
config webfilter override
    edit 1
        set status enable
        set scope ip
        set old-profile "webfilter"
        set new-profile "webfilter_new"
        set expires 2021/07/30 10:14:00
        set initiator "admin"
        set ip 10.1.100.11
    next
end

Allow users to override blocked categories

For both override methods, the scope ranges (for specified users, user groups, or IP addresses) allow sites blocked by web filtering profiles to be overridden for a specified length of time.

But there is a difference between the override methods when the users or user group scope ranges are selected. In both cases, you would need to apply the user or user group as source in the firewall policy. With administrative override, if you do not apply the source in the firewall policy, the traffic will not match the override and will be blocked by the original profile. With the Allow users to override blocked categories setting, the traffic will also be blocked, but instead of displaying a blocking page, the following message appears:

When you choose the user group scope, once one user overrides, it will affect the other users in the group when they attempt to override. For example, user1 and user2 both belong to the local_user group. Once user1 successfully overrides, this will generate an override entry for the local_user group instead of one specific user. This means that if user2 logs in from another PC, they can override transparently.

Other features

Besides the scope, there are some other features in Allow users to override blocked categories.

Apply to user groups

Individual users can not be selected. You can select one or more of the user groups recognized by the FortiGate. They can be local to the system or from a third party authentication device, such as an AD server through FSSO.

Switch duration

Administrative override sets a specified time frame that is always used for that override. The available options are:

  • Predefined: the value entered is the set duration (length of time in days, hours, or minutes) that the override will be in effect. If the duration variable is set to 15 minutes, the length of the override will always be 15 minutes. The option will be visible in the override message page, but the setting will be grayed out.
  • Ask: the user has the option to set the override duration once it is engaged. The user can set the duration in terms of days, hours, or minutes.

Creating a web profile users override

This example describes how to allow users in the local_group to override the webfilter_new profile.

To allow users to override blocked categories using the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.
  2. Enter a name for the profile.
  3. Enable Allow users to override blocked categories.
  4. Configure the web filter profile:
    1. Click the Groups that can override field, and select a group (local_group in this example).
    2. Click the Profile Name field, and select the webfilter_new profile.
    3. For the Switch applies to field, click IP.
    4. For the Switch Duration field, click Predefined. The default 15 minutes appears, which is the desired duration for this example.
    5. Configure the rest of the profile as needed.

  5. Click OK.

Using the ask feature

This option is only available in Allow users to override blocked categories is enabled. It configures the message page to have the user choose which scope they want to use. Normally on the message page, the scope options are grayed out and not editable. In the following example, the Scope is predefined with IP.

When the ask option is enabled (through the Switch applies to field in the GUI), the Scope dropdown is editable. Users can choose one of the following:

  • User
  • User group
  • IP

Note

User and User Group are only available when there is a user group in the firewall policy. You must specify a user group as a source in the firewall policy so the scope includes User and User Group; otherwise, only the IP option will be available.

Web profile override

The following profile override methods are available:

  • Administrative override
  • Allow users to override blocked categories

Administrative override

Administrators can grant temporary access to sites that are otherwise blocked by a web filter profile. You can grant temporary access to a user, user group, or source IP address. You can set the time limit by selecting a date and time. The default is 15 minutes.

When the administrative web profile override is enabled, a blocked access page or replacement message does not appear, and authentication is not required.

Scope range

You can choose one of the following scope ranges:

  • User: authentication for permission to override is based on whether or not the user is using a specific user account.
  • User group: authentication for permission to override is based on whether or not the user account supplied as a credential is a member of the specified user group.
  • Source IP: authentication for permission to override is based on the IP address of the computer that was used to authenticate. This would be used for computers that have multiple users. For example, if a user logs on to the computer, engages the override by using their credentials, and then logs off, anyone who logs on with an account on that computer would be using the alternate override web filter profile.
    Note

    When you enter an IP address in the administrative override method, only individual IP addresses are allowed.

Differences between IP and identity-based scope

Using the IP scope does not require using an identity-based policy.

When using the administrative override method and IP scope, you might not see a warning message when you change from using the original web filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just appear in the browser.

Configuring a web profile administrative override

This example describes how to override the webfilter profile with the webfilter_new profile.

To configure web profile administrative override using the GUI:
  1. Go to Security Profiles > Web Profile Overrides and click Create New.
  2. Configure the administrative override:
    1. For Scope Range, click Source IP.
    2. In the Source IP field, enter the IP address for the client computer (10.1.100.11 in this example).
    3. In the Original profile dropdown, select webfilter.
    4. In the New profile dropdown, select webfilter_new.

      In the Expires field, the default 15 minutes appears, which is the desired duration for this example.

  3. Click OK.
To configure web profile administrative override using the CLI:
config webfilter override
    edit 1
        set status enable
        set scope ip
        set old-profile "webfilter"
        set new-profile "webfilter_new"
        set expires 2021/07/30 10:14:00
        set initiator "admin"
        set ip 10.1.100.11
    next
end

Allow users to override blocked categories

For both override methods, the scope ranges (for specified users, user groups, or IP addresses) allow sites blocked by web filtering profiles to be overridden for a specified length of time.

But there is a difference between the override methods when the users or user group scope ranges are selected. In both cases, you would need to apply the user or user group as source in the firewall policy. With administrative override, if you do not apply the source in the firewall policy, the traffic will not match the override and will be blocked by the original profile. With the Allow users to override blocked categories setting, the traffic will also be blocked, but instead of displaying a blocking page, the following message appears:

When you choose the user group scope, once one user overrides, it will affect the other users in the group when they attempt to override. For example, user1 and user2 both belong to the local_user group. Once user1 successfully overrides, this will generate an override entry for the local_user group instead of one specific user. This means that if user2 logs in from another PC, they can override transparently.

Other features

Besides the scope, there are some other features in Allow users to override blocked categories.

Apply to user groups

Individual users can not be selected. You can select one or more of the user groups recognized by the FortiGate. They can be local to the system or from a third party authentication device, such as an AD server through FSSO.

Switch duration

Administrative override sets a specified time frame that is always used for that override. The available options are:

  • Predefined: the value entered is the set duration (length of time in days, hours, or minutes) that the override will be in effect. If the duration variable is set to 15 minutes, the length of the override will always be 15 minutes. The option will be visible in the override message page, but the setting will be grayed out.
  • Ask: the user has the option to set the override duration once it is engaged. The user can set the duration in terms of days, hours, or minutes.

Creating a web profile users override

This example describes how to allow users in the local_group to override the webfilter_new profile.

To allow users to override blocked categories using the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.
  2. Enter a name for the profile.
  3. Enable Allow users to override blocked categories.
  4. Configure the web filter profile:
    1. Click the Groups that can override field, and select a group (local_group in this example).
    2. Click the Profile Name field, and select the webfilter_new profile.
    3. For the Switch applies to field, click IP.
    4. For the Switch Duration field, click Predefined. The default 15 minutes appears, which is the desired duration for this example.
    5. Configure the rest of the profile as needed.

  5. Click OK.

Using the ask feature

This option is only available in Allow users to override blocked categories is enabled. It configures the message page to have the user choose which scope they want to use. Normally on the message page, the scope options are grayed out and not editable. In the following example, the Scope is predefined with IP.

When the ask option is enabled (through the Switch applies to field in the GUI), the Scope dropdown is editable. Users can choose one of the following:

  • User
  • User group
  • IP

Note

User and User Group are only available when there is a user group in the firewall policy. You must specify a user group as a source in the firewall policy so the scope includes User and User Group; otherwise, only the IP option will be available.