Profile

Creating a Isolator browsing profile

Configure the Isolator profile to dictate how the end user browses the web through FortiIsolator. There are various settings for you to configure, including the bandwidth use and end user privileges.

To create an Isolator browsing profile from GUI:

1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
2. From the Profile Type drop-down menu, select Isolator Profile and click OK.
3. Fill in the new Isolator profile information with desired settings.

   Isolator Profile Name	Name of the Isolator profile. No restrictions.
   View-only Mode	Specifies whether to limit the user to view-only access of web pages. The user is restricted from interacting with the pages, such as right-clicking or typing in text.
   Image Quality	Specify a percentage within 1-100. A higher percentage means more bandwidth usage.
   Video Frame Rate	Video frame rate (high, normal, low). A higher rate means more bandwidth usage.
   Scroll Speed	Allows end uses to control the scrolling speed on the mouse wheel while navigating pages. The range is from 1 - 100; 1 is the minimum speed, while 100 is the maximum speed. When the speed is set at 100, one scroll on the mouse wheel will scroll through one full page on the browser window.
   Allow Right-click Action	Specifies whether to allow client users to right click on mouse to display a menu. This option works only if View-only Mode is disabled. Print Users can print the current page as a PDF file. Logout Log out from the current session.
   Allow Copy and Paste	Specifies whether to allow client users to copy and paste from keyboard.
   Allow Printing	Specifies whether to allow client users to print the current page into a PDF file.
   User Agent	Customized user agent name.
   Show Isolation Icon	Specifies whether to show the FortiIsolator icon on the pages when users browse using FortiIsolator.
   Certificates	Specifies which uploaded certificate(s) to enable for the profile. FortiIsolator automatically lists all uploaded Certificates of the following types. If no such certificate is uploaded, the list is empty. Self Signed Server Certificate Self Signed CA Root Certificate Intermediate CA Certificate The certificate chain must be complete for the certificate to work, which means the root certificate and all relevant subordinate certificates (Intermediate CA Certificates) must be enabled at the same time.
   Max Download Size (MB)	Specifies the maximum file size in megabytes for downloading files.
   Max Upload Size (MB)	Specifies the maximum file size in megabytes for uploading files.
   Block File Type Download	Select the file types to block from downloading. You can also add more file types by clicking the Add button. exe doc ppt pdf txt xls png
   Block File Type Upload	Select the file types to block from uploading. You can also add more file types by clicking the Add button. exe doc ppt pdf txt xls png
   File Download Security	Configure whether to scan files for virus or malware with the following tools when uploading or downloading files through FortiIsolator. If any of the enabled tools detects the file as containing virus or malware, FortiIsolator displays the result in the client browser and prevents the user from uploading or downloading the file. If the file is determined as sanitized by all enabled tools, FortiIsolator allows the client user to upload or download the file. Send Files with FortiSandbox Specifies whether to send files to FortiSandbox. When enabled, specify the following options to connect to FortiSandbox: FortiSandbox IP—IP address or domain name of the FortiSandbox to connect to. FortiSandbox Administrator Name—Name of the FortiSandbox administrator. FortiSandbox Password—Password of FortiSandbox. To verify connection with FortiSandbox, upload a file using FortiIsolator. When the following image appears, which means the upload is complete, verify that the file is being scanned in FortiSandbox and view the result of the scan. Scan Files with FortiIsolator Specifies whether to scan files with FortiIsolator. When enabled, further configure the following option: File Content Disarm and Reconstruct with FortiIsolator File Content Disarm and Reconstruct Integration with Votiro Specifies whether to use Votiro for file content disarm and reconstruct. When enabled, specify the following options to connect to Votiro: Votiro URL—URL of the Votiro application. Votiro Token—Service token that you created in Votiro which allows FortiIsolator to communicate with Votiro. Votiro Channel ID—ID of the Votiro service token. Votiro Policy Name—Name of the Votiro policy to use. To verify connection with Votiro, enable this option and download a file using FortiIsolator. When the following image appears, which means the download is complete, verify that the file appears in the Incidents page in Votiro.

4. Click OK.

To create a FortiIsolator profile from CLI:

> set isolator-profile <name> <download> <upload> <viewonly> <avscan> <image-quality> <video-frame-rate> <av-disarm> <right-click> <scroll-speed> <file-type> <permit-of-copy> <permit-of-print> <agent-name>

For example,

> set isolator-profile system_default 100 100 N Y 100 normal Y Y 10 exe;doc Y Y fortiisolator

Parameter	Description
<name>	Name of the Isolator profile.
<download>	Max download size in megabytes (MB).
<upload>	Max upload size in megabytes (MB).
<viewonly>	Limit of view-only (Y/N).
<avscan>	Scan files for malware (Y/N).
<image-quality>	Image quality. Specify a percentage within 1-100.
<video-frame-rate>	Video frame rate (high, normal, low).
<av-disarm>	Use doc-rewrite when scanning file (Y/N).
<right-click>	Permit to right-click (Y/N). This parameter is valid only when <viewonly> is N.
<scroll-speed>	Scrolling speed on the mouse wheel while navigating pages. The range is from 1 - 100 with1 as the minimum speed and 100 the maximum.
<file-type>	File types to block from downloading and uploading.
<permit-of-copy>	Permit to copy and paste from keyboard (Y/N).
<permit-of-print>	Permit to print current page into a PDF file. (Y/N)
<agent-name>	Customized user agent name.

To display Isolator browsing profile from CLI:

> show isolator-profile system_default

Remote Render : N

Download Size(MB) : 100

Upload Size(MB) : 100

Viewonly Enabled : N

Antivirus Scan Enabled : Y

Antivirus Disarm Enabled : Y

Right Click Enabled : Y

Image Quality : 100

Video Frame Rate : normal

Scroll Speed : 10

Blocking file type for downloading and uploading : exe;doc

Agent Name : fortiisolator

FortiSandbox Enabled : N

FortiSandbox IP : ""

FortiSandbox Admin : ""

>

Creating Web Filter profile

FortiIsolator supports web filtering, which enables the administrator to control which webpages that end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

Prerequisites

• Ensure that FortiIsolator has a valid license installed.
• Register the device to a production server: https://support.fortinet.com/product/RegistrationEntry.aspx.
• Ensure that the IP address in the FortiIsolator license is the same as the FortiIsolator management IP address.

To create a Web Filter profile from GUI:

1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
2. From the Profile Type drop-down menu, select Web Filter Profile and click OK. You will be brought to the Edit Web Filter Profile page.
3. Enter a Web Filter Profile Name.
4. To change web filters for specific categories or subcategories, check the boxes next to the categories or subcategories that you wish to modify. To access the subcategories list, expand the category by clicking the small triangle next to the category.

   

   Right-click on any checked box to select the desired action:

   1. View-only: End user is restricted to view-only access and is unable to interact with the web page, including clicking links and downloading files.
   2. Block: End user is restricted from accessing the web page and will be shown a page informing them that the URL has been blocked by the administrator.
   3. Allow: End user has full access of the website. By default, all web categories are allowed.
5. To allow or block specific websites, click the corresponding Create New button in the Allow List or Block List section. Enter the URL details and click OK. The allow list and block list filters accept simple URLs, regular expressions, wildcards, and exemptions as URL filter criteria.
6. To finish creating the Web Filter Profile, click Submit.
7. To verify that the web filter is working, try browsing to one of the blocked web pages. You should see the following text displayed in your browser:

To create a Webfilter profile from CLI:

set wf-allow-list <name> <url> <type>

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

e.g.

> set wf-allow-list allow_list_new website.com 0

> show wf-allow-list

allow_list-allow_list_new testsite.com 0

set wf-block-list <name> <url> <type>

e.g.

> set wf-block-list block_list_new blocksite.com 0

TYPE

0: Simple

1: Regular Expression

2: Wildcard

3: Exempt

> show wf-block-list

block_list-block_list_new blocksite.com 0

set wf-profile <name> <allow-list> <block-list> <actions>

e.g.

> set wf-profile webprofile_new allow_list_new block_list_new 0

> show wf-profile

Web Filter Profile:webprofile_new

allowlist : allow_list_new

blocklist : block_list_new

action profile : 0

Creating ICAP profile

Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall to separate, specialized servers.

FortiIsolator supports ICAP web filtering, which allows the administrator to use third-party ICAP servers to control which webpages the end users are allowed to view. You can block specific URLs or websites, which prevents the end user's browser from loading web pages from these websites.

If you enable ICAP in a policy, HTTP and HTTPS traffic that is intercepted by the policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are returned to the FortiIsolator, and then forwarded to their destination.

ICAP profiles can be applied to policies that use Proxy-based or IP Forwarding mode.

Prerequisites

• Ensure that an ICAP server is alive and can block web sites from its local server.

• Ensure the ICAP server can ping to FortiIsolator and vice versa.

To create an ICAP profile from GUI:

1. From the administration portal, go to Policies and Profiles > Profiles and click Create New.
2. From the Profile Type drop-down menu, select ICAP Profile and click OK.
3. Fill in the new ICAP profile information with desired settings:

   ICAP Profile Name	Name of the ICAP profile
   IP Address	IP Address of the ICAP server
   Port	Port number that the ICAP server running the service on
   Service	Service name of the ICAP server
   Action when server fails	Actions on FortiIsolator if fails to connect to ICAP Allow Block View only

To create an ICAP profile from CLI:

set icap-profile <name> <ip> <port> <service> <fail-action>

<name> : ICAP Profile Name

<ip> : IP Address

<port> : Port

<service> : Service

<fail-action> : Action when server fails (Block = 1, allow = 2, viewonly = 3)

e.g.

> set icap-profile icap_new 172.30.157.208 1344 url_check 1

> show icap-profile

ICAP Profile:icap_new

IP Address : 172.30.157.208

Port : 1344

Service Name : url_check