Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Configuring a SWG policy

Copy Link
Copy Doc ID 4ed231bf-e303-11ee-8c42-fa163e15d75b:168258
Download PDF

Configuring a SWG policy

This example configures a secure web gateway (SWG) policy to block all SWG users from accessing all traffic to *.netflix.com.

To configure an SWG policy:
  1. Enable SWG configuration:
    1. Go to System > SWG Configuration.
    2. Toggle Enable to on. The GUI may take a few minutes to reload. Once the GUI finishes loading, you can view the Hosted PAC File field. Endpoint users use this URL to configure connecting via the FortiSASE SWG server.

    3. On the right pane, click Download SWG Certificates. You must distribute this certificate to end users to install on their endpoints to avoid untrusted certificate errors.
  2. Create the SWG-DenyNetflix SWG policy:
    1. Go to Configuration > SWG Policies.
    2. Click Create.
    3. Configure the SWG-DenyNetflix SWG policy:
      1. For User, select All SWG Users.
      2. In the Destination field, click Specify.
      3. On the Host tab, click Create.
      4. Select IPv4 Host. Configure the fields as follows:

        Field

        Value

        Name

        Enter the desired name.

        Type

      5. Select FQDN.

        6. FQDN

        Enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.

      6. Click OK.
      7. Select the newly created Netflix host.
      8. In the Service field, click +. On the Select Entries pane, select webSWG.
      9. Leave all other fields at their default values.
      10. Click OK.
  3. In Configuration > SWG Policies, ensure that you order the policies so that the SWG-DenyNetflix policy is before the Allow-All policy.
  4. Distribute the URL in the System > SWG Configuration > Hosted PAC File field and the certificate downloaded from Download SWG Certificates to end users.
  5. The end user installs the certificate on their device.
  6. The end user can configure SWG settings at the OS level or in a browser. Configuring SWG settings at the OS level applies them to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device:
    1. In Windows, go to Windows Settings > System > SWG Settings.
    2. Enable Use setup script.
    3. In the Script address field, enter the Hosted PAC File URL.

    4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their FortiSASE user credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.

When a session is initiated through the client browser, FortiSASE analyzes the connection and performs an SWG policy match. FortiSASE performs the match from top down and compares the session with the configured SWG policy parameters. For example, consider that an SWG user attempts to access www.netflix.com. FortiSASE attempts to match the SWG-DenyNetflix policy, which matches. FortiSASE denies the user access to www.netflix.com.

Previous
Next

Configuring a SWG policy

This example configures a secure web gateway (SWG) policy to block all SWG users from accessing all traffic to *.netflix.com.

To configure an SWG policy:
  1. Enable SWG configuration:
    1. Go to System > SWG Configuration.
    2. Toggle Enable to on. The GUI may take a few minutes to reload. Once the GUI finishes loading, you can view the Hosted PAC File field. Endpoint users use this URL to configure connecting via the FortiSASE SWG server.

    3. On the right pane, click Download SWG Certificates. You must distribute this certificate to end users to install on their endpoints to avoid untrusted certificate errors.
  2. Create the SWG-DenyNetflix SWG policy:
    1. Go to Configuration > SWG Policies.
    2. Click Create.
    3. Configure the SWG-DenyNetflix SWG policy:
      1. For User, select All SWG Users.
      2. In the Destination field, click Specify.
      3. On the Host tab, click Create.
      4. Select IPv4 Host. Configure the fields as follows:

        Field

        Value

        Name

        Enter the desired name.

        Type

      5. Select FQDN.

        6. FQDN

        Enter *.netflix.com. When using wildcard FQDNs, FortiSASE caches the FQDN address's IP addresses based on matching DNS responses.

      6. Click OK.
      7. Select the newly created Netflix host.
      8. In the Service field, click +. On the Select Entries pane, select webSWG.
      9. Leave all other fields at their default values.
      10. Click OK.
  3. In Configuration > SWG Policies, ensure that you order the policies so that the SWG-DenyNetflix policy is before the Allow-All policy.
  4. Distribute the URL in the System > SWG Configuration > Hosted PAC File field and the certificate downloaded from Download SWG Certificates to end users.
  5. The end user installs the certificate on their device.
  6. The end user can configure SWG settings at the OS level or in a browser. Configuring SWG settings at the OS level applies them to all installed browsers. The following gives instructions for configuring SWG settings at the OS level on a Windows 10 device:
    1. In Windows, go to Windows Settings > System > SWG Settings.
    2. Enable Use setup script.
    3. In the Script address field, enter the Hosted PAC File URL.

    4. The next time the user starts a browser session, the browser displays an authentication prompt. The end user enters their FortiSASE user credentials in the prompt. After ten minutes of inactivity, the browser reprompts for authentication credentials.

When a session is initiated through the client browser, FortiSASE analyzes the connection and performs an SWG policy match. FortiSASE performs the match from top down and compares the session with the configured SWG policy parameters. For example, consider that an SWG user attempts to access www.netflix.com. FortiSASE attempts to match the SWG-DenyNetflix policy, which matches. FortiSASE denies the user access to www.netflix.com.

Previous
Next