While web filtering provides a company with the ability to limit where users visit on the the Internet, what if some users – managers, guests or whole departments – needed access to these categories or subsets of those categories? What if you still want your users or employees some level of freedom? After all, a happy worker is a productive worker. The flexibility to accommodate a multitude of configurations and situations. One size does not necessarily fit all.
Happily, FortiOS comes in many sizes. There are a options available to meet the needs of various users and at various times of the day.
Beyond the selections of the FortiGuard web services, overrides and custom configurations, are the firewall policies that instruct the FortiGate how to determine which users can see what sites and when.
Within firewall policies, you can use an identity-based approach, where local users and groups or more established LDAP, RADIUS or TACACS+ databases can be referenced. By setting up users and unique groups, you can create web filtering policies to accommodate unique situations rather than painting web access with a very large corporate brush. With unique user and group options, firewall policies can be set up to request authentication. Before a user can access the specific web policy, they must enter a username and password. Once authenticated, the correct web profile can be applied.
Another possibility, web access policies can also be time-controlled. Where specific policies restrict web access through most of the day, policies can lift these restrictions over the lunch hour or after work to enable employees to view social networking sites and entertainment sites (remember those happy, workers?), yet shut the access off automatically so everyone can get back to work (happy and productive!). Or alternatively, set a time quota for the day for different web categories. Rather than dictating a specific time of the day, allow a total time allotment for the day. Gaming maximums of one hour; social network two hours a day. When the user’s time is up, they can be shut off until the next day.
And when the time is up, the FortiGate includes messages you can customize to let users gently know time is up with a customized message. These messages are stored on the FortiGate in simple HTML.
All of these options make for happy network admins, managers and employees. Further, all surfing actions can also be logged and analyzed. Users’ surfing habits can be monitored and thus filtering fine-tuned. If the FortiGate unit has an integrated storage module – internal hard disk or AMC module, or you use a FortiAnalyzer unit, you can log the web sites visited and generate reports to see what the web site flow is, and even, who the top users are, and adjust your network web filtering policies accordingly to strike a balance of network traffic management.
Read Part I: Cloud-Based FortiGuard Web Filtering Services
All Posts
Twitter
FaceBook
LinkedIn
YouTube
[...] Part II: Web Filtering: Controlling The Flow Author bio: Michael Xie, founder, CTO and vice president of engineering for Fortinet, has been in [...]
Michael,
Can you provide us with the details on how to setup time quotas? Thanks!
I’ve included a link to a screenshot of the GUI. The quotas are all on the right side of the page. The quota radios (round check boxes) are only enabled if a category is set to allow, and the time is only enabled if the category is set to enable quota.
I hope this helps.
http://blog.fortinet.com/wp-content/uploads/2010/02/FtgdQuotaGui.png
Very good question, and you’re close. Each user will have one category count down at a time. They would be able to spend an hour on gaming, two hours on facebook, etc. They could mix it up too, five minutes on gaming, later 10 minutes on Facebook, and the quota monitor will keep track of that. The granularity of the quotas is down to seconds.
It is possible to configure so that they can have one hour total for a grouping of categories. The groupings are pre-defined:
Potentially Liable, Controversial, Potentially Non-Productive, Potentially Bandwidth Consuming, Potentially Security Violating, General Interest, Business Oriented, Others
Most of the categories customers that you might want to quota would be in either General Interest, Potentially Non-Productive, or Potentially Bandwidth Consuming.
Michael, I really liked upcoming time-based quotas. But how they are summed up? What will happen if I specify 1 hour for gaming, 2 for social networks, 3 for news etc. Does it mean that user can start day with one hour of gaming, than continue with 2 hours on facebook, than go to a news site… Is there a way to sat that I have 10 categories and user can spen one hour a day for all of them?