Profile
Creating Isolator browsing profile
Creating Isolator browsing profile from GUI
Configure the Isolator profile to dictate how the end user browses the web through FortiIsolator. There are various settings for you to configure, including the bandwidth use and end user privileges.
Steps
- From the administration portal, go to Policies and Profiles > Profiles and click Create New.
- From the Profile Type drop-down menu, select Isolator Profile and click OK.
- Fill in the new Isolator profile information with desired settings.
Isolator profile name
Name of the Isolator profile. No restrictions.
Max download size / Max upload size
Type in the maximum file size in megabytes for uploading and downloading files.
Limit of view only
By selecting the Limit of view only box, you limit the user to view-only access of web pages. The user is restricted from interacting with the pages, such as right-clicking or typing in text.
Image quality
Increase or decrease bandwidth usage.
Video frame rate
Increase or decrease bandwidth usage.
Use doc-rewrite when scanning file
Allow rewriting of documents during file scanning such that embedded links in the file are rendered inactive.
Scan files for malware
Scans files when uploading or downloading through FortiIsolator.
Enable
- FortiIsolator will scan the file for malware or viruses. If malware or viruses are detected, it will prompt a message to inform the user that "Virus is discovered in the file."
- If the file does not contain a virus, FortiIsolator then allows the user to upload or download the file normally.
Disable
- Will not scan files. Files will be uploaded and downloaded normally.
Permit for Right-Click
Allows the client user to right click on mouse to display a menu.
Feature only works when you:
- Disable "Limit of view only."
Print User can print the current page as a PDF file. Logout Log out from the current session. 
Send file to FortiSandbox
To enable FortiSandbox scanning, you need to also enable:
- Scan file for malware
FortiIsolator provides the option to send files to FortiSandbox to scan for virus or malware. When uploading or downloading a file through FortiIsolator, the file will send to FortiSandbox.
If FortiSandbox detects the file as containing virus or malware, it blocks the file and sends back the result to FortiIsolator. FortiIsolator then displays the result in the client browser, not allowing the user to proceed any further.
If it is a sanitized file, FortiSandbox allows the client user to upload or download the file through FortiIsolator.
To send a file to FortiSandbox
- Verify that the FortiSandbox setting is valid.
-
Upload a file through FortiIsolator. Image will appear when file upload is finished.
- Verify that the file is being scanned in FortiSandbox, and view the results of the scan.
FortiSandbox IP
Set the IP of the connected FortiSandbox.
FortiSandbox administrator name
Set the FortiSandbox administrator name.
FortiSandbox password
Set the FortiSandbox password.
Creating Isolator browsing profile from CLI
To create a FortiIsolator profile from CLI, follow this format:
> set isolator-profile <name> <download> <upload> <viewonly> <avscan> <image-quality> <video-frame-rate> <av-disarm> <right-click>
e.g.
> set isolator-profile profile_new 100 200 Y Y normal normal Y Y
| <name> | Isolator Profile Name |
| <download> | Max Download Size (MB) |
| <upload> | Max Upload Size (MB) |
| <viewonly> | Limit of view only |
| <avscan> | Scan files for malware |
| <image-quality> | Image Quality |
| <video-frame-rate> | Video Frame Rate |
| <av-disarm> | Use doc-rewrite when scanning file |
| <right-click> | Permit for Right-Click |
Displaying Isolator browsing profile from CLI
> show isolator-profile
Isolator Profile:profile_new
Download Size(MB) : 100
Upload Size(MB) : 200
Viewonly Enabled : Y
Antivirus Scan Enabled : Y
Antivirus Disarm Enabled : Y
Right Click Enabled : Y
Image Quality : normal
Video Frame Rate : normal
>
Creating Web Filter profile
FortiIsolator supports web filtering, which enables the administrator to control which webpages that end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.
Prerequisites
- Ensure that FortiIsolator has a valid license installed.
- Register the device to a production server: https://support.fortinet.com/product/RegistrationEntry.aspx.
- Ensure that the IP address in the FortiIsolator license is the same as the FortiIsolator management IP address.
Creating Web Filter profile from GUI
Steps
- From the administration portal, go to Policies and Profiles > Profiles and click Create New.
- From the Profile Type drop-down menu, select Web Filter Profile and click OK. You will be brought to the Edit Web Filter Profile page.
- Enter a Web Filter Profile Name.
- To change web filters for specific categories or subcategories, check the boxes next to the categories or subcategories that you wish to modify. To access the subcategories list, expand the category by clicking the small triangle next to the category.
Right click on any checked box to select the desired action:- View-only: End user is restricted to view-only access and is unable to interact with the web page, including clicking links and downloading files.
- Block: End user is restricted from accessing the web page and will be shown a page informing them that the URL has been blocked by the administrator.
- Allow: End user has full access of the website. By default, all web categories are allowed.
- To white list or black list specific websites, click the corresponding Create New button in the White List or Black List section. Enter the URL details and click OK. The white list and black list filters accept simple URLs, regular expressions, wildcards, and exemptions as URL filter criteria.
- To finish creating the Web Filter Profile, click Submit.
- To verify that the web filter is working, try browsing to one of the blocked web pages. You should see the following text displayed in your browser:
Creating Webfilter profile from CLI
set wf-white-list <name> <url> <type>
TYPE
0: Simple
1: Regular Expression
2: Wildcard
3: Exempt
e.g.
> set wf-white-list white_list_new website.com 0
> show wf-white-list
white_list-white_list_new testsite.com 0
set wf-black-list <name> <url> <type>
e.g.
> set wf-black-list black_list_new blocksite.com 0
TYPE
0: Simple
1: Regular Expression
2: Wildcard
3: Exempt
> show wf-black-list
black_list-black_list_new blocksite.com 0
set wf-profile <name> <white-list> <black-list> <actions>
e.g.
> set wf-profile webprofile_new white_list_new black_list_new 0
> show wf-profile
Web Filter Profile:webprofile_new
whitelist : white_list_new
blacklist : black_list_new
action profile : 0
Creating ICAP profile
Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall to separate, specialized servers.
FortiIsolator supports ICAP web filtering, which allows the administrator to use third-party ICAP servers to control which webpages the end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.
If you enable ICAP in a policy, HTTP and HTTPS traffic that is intercepted by the policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are returned to the FortiIsolator, and then forwarded to their destination.
ICAP profiles can be applied to policies that use Proxy-based or IP Forwarding mode.
Creating ICAP profile from GUI
Prerequisites
- Ensure that an ICAP server is alive and can block web sites from its local server.
- Ensure the ICAP server can ping to FortiIsolator and vice versa.
Steps
- From the administration portal, go to Policies and Profiles > Profiles and click Create New.
- From the Profile Type drop-down menu, select ICAP Profile and click OK.
- Fill in the new ICAP profile information with desired settings.
| ICAP Profile Name | Name of the ICAP profile |
| IP Address | IP Address of the ICAP server |
| Port | Port number that the ICAP server running the service on |
| Service | Service name of the ICAP server |
| Action when server fails |
Actions on FortiIsolator if fails to connect to ICAP
|
Creating ICAP profile from CLI
set icap-profile <name> <ip> <port> <service> <fail-action>
<name> : ICAP Profile Name
<ip> : IP Address
<port> : Port
<service> : Service
<fail-action> : Action when server fails (Block = 1, allow = 2, viewonly = 3)
e.g.
> set icap-profile icap_new 172.30.157.208 1344 url_check 1
> show icap-profile
ICAP Profile:icap_new
IP Address : 172.30.157.208
Port : 1344
Service Name : url_check
