Overriding a web filter profile

In this recipe, one user is temporarily allowed to override a web filter profile in order to access sites that would otherwise be blocked. Web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

_{Find this recipe for other FortiOS versions:}_{5.2 | 5.4}

1. Enabling web filtering and multiple profiles
Go to System > Feature Select to enable Web Filter and Multiple Security Profiles. Apply changes if necessary.
2. Creating a user group and two users
Go to User & Device > User Groups. Create a new group for users who can override web filtering (in this example, web-filter-override).
Go to User & Device > User Definition to create two users (in this example, ckent and bwayne).


Assign ckent to the web-filter-override group, but not bwayne.
3. Creating a web filter profile and an override
Go to Security Profiles > Web Filter to create a new profile (block-bandwidth-consuming). Enable FortiGuard category based filter, then right-click Bandwidth Consuming and select Block.
Go to Security Profiles > Web Filter to enable Allow users to override blocked categories. Set Groups that can override to web-filter-override, Profile can switch to default, Switch applies to User Group, and Switch Duration to Ask.
4. Adding the new web filter profile to a security policy
Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet. Set Source all, bwayne, and web-filter-override. Under Security Profiles, enable Web Filter and select the block-bandwidth-consuming profile.
5. Results
Browse to youtube.com, a website that is part of the Bandwidth Consuming category. Authenticate using the bwayne account. The website is blocked.
Go to Monitor > Firewall User Monitor and De-authenticate bwayne.
Browse to youtube.com again, this time authenticating the ckent account. You can access the website until the override expires.