Fortinet white logo
Fortinet white logo

Administration Guide

Profile

Profile

Creating Isolator browsing profile

Creating Isolator browsing profile from GUI

Configure the Isolator profile to dictate how the end user browses the web through FortiIsolator. There are various settings for you to configure, including the bandwidth use and end user privileges.

Steps
  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select Isolator Profile and click OK.
  3. Fill in the new Isolator profile information with desired settings.

    Isolator profile name

    Name of the Isolator profile. No restrictions.

    Max download size / Max upload size

    Type in the maximum file size in megabytes for uploading and downloading files.

    Limit of view only

    By selecting the Limit of view only box, you limit the user to view-only access of web pages. The user is restricted from interacting with the pages, such as right-clicking or typing in text.

    Image quality

    Increase or decrease bandwidth usage.

    Video frame rate

    Increase or decrease bandwidth usage.

    Scroll speed

    Allows end uses to control the scrolling speed on the mouse wheel while navigating pages. The range is from 1 - 100; 1 is the minimum speed, while 100 is the maximum speed.

    When the speed is set at 100, one scroll on the mouse wheel will scroll through one full page on the browser window.

    Use doc-rewrite when scanning file

    Allow rewriting of documents during file scanning such that embedded links in the file are rendered inactive.

    Scan files for malware

    Scans files when uploading or downloading through FortiIsolator.

    Enable

    • FortiIsolator will scan the file for malware or viruses. If malware or viruses are detected, it will prompt a message to inform the user that "Virus is discovered in the file."
    • If the file does not contain a virus, FortiIsolator then allows the user to upload or download the file normally.

    Disable

    • Will not scan files. Files will be uploaded and downloaded normally.

    Permit for Right-Click

    Allows the client user to right click on mouse to display a menu.

    Note

    Feature only works when you:

    • Disable "Limit of view only."
    Print User can print the current page as a PDF file.
    Logout Log out from the current session.

    Send file to FortiSandbox

    Note

    To enable FortiSandbox scanning, you need to also enable:

    • Scan file for malware

    FortiIsolator provides the option to send files to FortiSandbox to scan for virus or malware. When uploading or downloading a file through FortiIsolator, the file will send to FortiSandbox.

    If FortiSandbox detects the file as containing virus or malware, it blocks the file and sends back the result to FortiIsolator. FortiIsolator then displays the result in the client browser, not allowing the user to proceed any further.

    If it is a sanitized file, FortiSandbox allows the client user to upload or download the file through FortiIsolator.

    To send a file to FortiSandbox

    1. Verify that the FortiSandbox setting is valid.
    2. Upload a file through FortiIsolator. Image will appear when file upload is finished.

    3. Verify that the file is being scanned in FortiSandbox, and view the results of the scan.

    FortiSandbox IP

    Set the IP of the connected FortiSandbox.

    FortiSandbox administrator name

    Set the FortiSandbox administrator name.

    FortiSandbox password

    Set the FortiSandbox password.

    To Block File Types from Download/Upload

    Allow / disallow file types from download or upload.

    • Uncheck: allow all file types from download or upload.
    • Check: disallow the selected file type from download or upload.

Creating Isolator browsing profile from CLI

To create a FortiIsolator profile from CLI, follow this format:

> set isolator-profile <name> <download> <upload> <viewonly> <avscan> <image-quality> <video-frame-rate> <av-disarm> <right-click>

e.g.

> set isolator-profile profile_new 100 200 Y Y normal normal Y Y

<name> Isolator Profile Name
<download> Max Download Size (MB)
<upload> Max Upload Size (MB)
<viewonly> Limit of view only
<avscan> Scan files for malware
<image-quality> Image Quality
<video-frame-rate> Video Frame Rate
<av-disarm> Use doc-rewrite when scanning file
<right-click> Permit for Right-Click

Displaying Isolator browsing profile from CLI

> show isolator-profile

Isolator Profile:profile_new

Download Size(MB) : 100

Upload Size(MB) : 200

Viewonly Enabled : Y

Antivirus Scan Enabled : Y

Antivirus Disarm Enabled : Y

Right Click Enabled : Y

Image Quality : normal

Video Frame Rate : normal

>

Creating Web Filter profile

FortiIsolator supports web filtering, which enables the administrator to control which webpages that end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

Prerequisites

Creating Web Filter profile from GUI

Steps
  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select Web Filter Profile and click OK. You will be brought to the Edit Web Filter Profile page.
  3. Enter a Web Filter Profile Name.
  4. To change web filters for specific categories or subcategories, check the boxes next to the categories or subcategories that you wish to modify. To access the subcategories list, expand the category by clicking the small triangle next to the category.
    Right click on any checked box to select the desired action:
    1. View-only: End user is restricted to view-only access and is unable to interact with the web page, including clicking links and downloading files.
    2. Block: End user is restricted from accessing the web page and will be shown a page informing them that the URL has been blocked by the administrator.
    3. Allow: End user has full access of the website. By default, all web categories are allowed.
  5. To white list or black list specific websites, click the corresponding Create New button in the White List or Black List section. Enter the URL details and click OK. The white list and black list filters accept simple URLs, regular expressions, wildcards, and exemptions as URL filter criteria.
  6. To finish creating the Web Filter Profile, click Submit.
  7. To verify that the web filter is working, try browsing to one of the blocked web pages. You should see the following text displayed in your browser:

Creating Webfilter profile from CLI

set wf-white-list <name> <url> <type>

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

e.g.

> set wf-white-list white_list_new website.com 0

> show wf-white-list

white_list-white_list_new testsite.com 0

set wf-black-list <name> <url> <type>

e.g.

> set wf-black-list black_list_new blocksite.com 0

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

> show wf-black-list

black_list-black_list_new blocksite.com 0

set wf-profile <name> <white-list> <black-list> <actions>

e.g.

> set wf-profile webprofile_new white_list_new black_list_new 0

> show wf-profile

Web Filter Profile:webprofile_new

whitelist : white_list_new

blacklist : black_list_new

action profile : 0

Creating ICAP profile

Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall to separate, specialized servers.

FortiIsolator supports ICAP web filtering, which allows the administrator to use third-party ICAP servers to control which webpages the end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

If you enable ICAP in a policy, HTTP and HTTPS traffic that is intercepted by the policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are returned to the FortiIsolator, and then forwarded to their destination.

ICAP profiles can be applied to policies that use Proxy-based or IP Forwarding mode.

Creating ICAP profile from GUI

Prerequisites

  • Ensure that an ICAP server is alive and can block web sites from its local server.
  • Ensure the ICAP server can ping to FortiIsolator and vice versa.

Steps

  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select ICAP Profile and click OK.
  3. Fill in the new ICAP profile information with desired settings.
ICAP Profile Name Name of the ICAP profile
IP Address IP Address of the ICAP server
Port Port number that the ICAP server running the service on
Service Service name of the ICAP server
Action when server fails

Actions on FortiIsolator if fails to connect to ICAP

  • Allow
  • Block
  • View only

Creating ICAP profile from CLI

set icap-profile <name> <ip> <port> <service> <fail-action>

<name> : ICAP Profile Name

<ip> : IP Address

<port> : Port

<service> : Service

<fail-action> : Action when server fails (Block = 1, allow = 2, viewonly = 3)

e.g.

> set icap-profile icap_new 172.30.157.208 1344 url_check 1

> show icap-profile

ICAP Profile:icap_new

IP Address : 172.30.157.208

Port : 1344

Service Name : url_check

Profile

Profile

Creating Isolator browsing profile

Creating Isolator browsing profile from GUI

Configure the Isolator profile to dictate how the end user browses the web through FortiIsolator. There are various settings for you to configure, including the bandwidth use and end user privileges.

Steps
  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select Isolator Profile and click OK.
  3. Fill in the new Isolator profile information with desired settings.

    Isolator profile name

    Name of the Isolator profile. No restrictions.

    Max download size / Max upload size

    Type in the maximum file size in megabytes for uploading and downloading files.

    Limit of view only

    By selecting the Limit of view only box, you limit the user to view-only access of web pages. The user is restricted from interacting with the pages, such as right-clicking or typing in text.

    Image quality

    Increase or decrease bandwidth usage.

    Video frame rate

    Increase or decrease bandwidth usage.

    Scroll speed

    Allows end uses to control the scrolling speed on the mouse wheel while navigating pages. The range is from 1 - 100; 1 is the minimum speed, while 100 is the maximum speed.

    When the speed is set at 100, one scroll on the mouse wheel will scroll through one full page on the browser window.

    Use doc-rewrite when scanning file

    Allow rewriting of documents during file scanning such that embedded links in the file are rendered inactive.

    Scan files for malware

    Scans files when uploading or downloading through FortiIsolator.

    Enable

    • FortiIsolator will scan the file for malware or viruses. If malware or viruses are detected, it will prompt a message to inform the user that "Virus is discovered in the file."
    • If the file does not contain a virus, FortiIsolator then allows the user to upload or download the file normally.

    Disable

    • Will not scan files. Files will be uploaded and downloaded normally.

    Permit for Right-Click

    Allows the client user to right click on mouse to display a menu.

    Note

    Feature only works when you:

    • Disable "Limit of view only."
    Print User can print the current page as a PDF file.
    Logout Log out from the current session.

    Send file to FortiSandbox

    Note

    To enable FortiSandbox scanning, you need to also enable:

    • Scan file for malware

    FortiIsolator provides the option to send files to FortiSandbox to scan for virus or malware. When uploading or downloading a file through FortiIsolator, the file will send to FortiSandbox.

    If FortiSandbox detects the file as containing virus or malware, it blocks the file and sends back the result to FortiIsolator. FortiIsolator then displays the result in the client browser, not allowing the user to proceed any further.

    If it is a sanitized file, FortiSandbox allows the client user to upload or download the file through FortiIsolator.

    To send a file to FortiSandbox

    1. Verify that the FortiSandbox setting is valid.
    2. Upload a file through FortiIsolator. Image will appear when file upload is finished.

    3. Verify that the file is being scanned in FortiSandbox, and view the results of the scan.

    FortiSandbox IP

    Set the IP of the connected FortiSandbox.

    FortiSandbox administrator name

    Set the FortiSandbox administrator name.

    FortiSandbox password

    Set the FortiSandbox password.

    To Block File Types from Download/Upload

    Allow / disallow file types from download or upload.

    • Uncheck: allow all file types from download or upload.
    • Check: disallow the selected file type from download or upload.

Creating Isolator browsing profile from CLI

To create a FortiIsolator profile from CLI, follow this format:

> set isolator-profile <name> <download> <upload> <viewonly> <avscan> <image-quality> <video-frame-rate> <av-disarm> <right-click>

e.g.

> set isolator-profile profile_new 100 200 Y Y normal normal Y Y

<name> Isolator Profile Name
<download> Max Download Size (MB)
<upload> Max Upload Size (MB)
<viewonly> Limit of view only
<avscan> Scan files for malware
<image-quality> Image Quality
<video-frame-rate> Video Frame Rate
<av-disarm> Use doc-rewrite when scanning file
<right-click> Permit for Right-Click

Displaying Isolator browsing profile from CLI

> show isolator-profile

Isolator Profile:profile_new

Download Size(MB) : 100

Upload Size(MB) : 200

Viewonly Enabled : Y

Antivirus Scan Enabled : Y

Antivirus Disarm Enabled : Y

Right Click Enabled : Y

Image Quality : normal

Video Frame Rate : normal

>

Creating Web Filter profile

FortiIsolator supports web filtering, which enables the administrator to control which webpages that end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

Prerequisites

Creating Web Filter profile from GUI

Steps
  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select Web Filter Profile and click OK. You will be brought to the Edit Web Filter Profile page.
  3. Enter a Web Filter Profile Name.
  4. To change web filters for specific categories or subcategories, check the boxes next to the categories or subcategories that you wish to modify. To access the subcategories list, expand the category by clicking the small triangle next to the category.
    Right click on any checked box to select the desired action:
    1. View-only: End user is restricted to view-only access and is unable to interact with the web page, including clicking links and downloading files.
    2. Block: End user is restricted from accessing the web page and will be shown a page informing them that the URL has been blocked by the administrator.
    3. Allow: End user has full access of the website. By default, all web categories are allowed.
  5. To white list or black list specific websites, click the corresponding Create New button in the White List or Black List section. Enter the URL details and click OK. The white list and black list filters accept simple URLs, regular expressions, wildcards, and exemptions as URL filter criteria.
  6. To finish creating the Web Filter Profile, click Submit.
  7. To verify that the web filter is working, try browsing to one of the blocked web pages. You should see the following text displayed in your browser:

Creating Webfilter profile from CLI

set wf-white-list <name> <url> <type>

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

e.g.

> set wf-white-list white_list_new website.com 0

> show wf-white-list

white_list-white_list_new testsite.com 0

set wf-black-list <name> <url> <type>

e.g.

> set wf-black-list black_list_new blocksite.com 0

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

> show wf-black-list

black_list-black_list_new blocksite.com 0

set wf-profile <name> <white-list> <black-list> <actions>

e.g.

> set wf-profile webprofile_new white_list_new black_list_new 0

> show wf-profile

Web Filter Profile:webprofile_new

whitelist : white_list_new

blacklist : black_list_new

action profile : 0

Creating ICAP profile

Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall to separate, specialized servers.

FortiIsolator supports ICAP web filtering, which allows the administrator to use third-party ICAP servers to control which webpages the end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

If you enable ICAP in a policy, HTTP and HTTPS traffic that is intercepted by the policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are returned to the FortiIsolator, and then forwarded to their destination.

ICAP profiles can be applied to policies that use Proxy-based or IP Forwarding mode.

Creating ICAP profile from GUI

Prerequisites

  • Ensure that an ICAP server is alive and can block web sites from its local server.
  • Ensure the ICAP server can ping to FortiIsolator and vice versa.

Steps

  1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
  2. From the Profile Type drop-down menu, select ICAP Profile and click OK.
  3. Fill in the new ICAP profile information with desired settings.
ICAP Profile Name Name of the ICAP profile
IP Address IP Address of the ICAP server
Port Port number that the ICAP server running the service on
Service Service name of the ICAP server
Action when server fails

Actions on FortiIsolator if fails to connect to ICAP

  • Allow
  • Block
  • View only

Creating ICAP profile from CLI

set icap-profile <name> <ip> <port> <service> <fail-action>

<name> : ICAP Profile Name

<ip> : IP Address

<port> : Port

<service> : Service

<fail-action> : Action when server fails (Block = 1, allow = 2, viewonly = 3)

e.g.

> set icap-profile icap_new 172.30.157.208 1344 url_check 1

> show icap-profile

ICAP Profile:icap_new

IP Address : 172.30.157.208

Port : 1344

Service Name : url_check