Technical Tip: How to permit temporary access to a site during a particular time slot

scheehan_FTNT · ‎04-07-2016

Description

This article gives an example of how to allow users a temporary access to a social media site during a particular time slot. At the end of scheduled time, active sessions should be cleared.

The following example allows users able to access http://www.facebook.com during weekday lunch time (13:00 - 14:00).

Solution

Configuration example

1) Create webfilter profile for allow web site.

config webfilter profile
    edit "allow_facebook"
        set options activexfilter cookiefilter javafilter block-invalid-url
            config override
                set ovrd-user-group ""
            end
            config web
                set urlfilter-table 1
            end
            config ftgd-wf
                unset options
                    config filters
                        edit 1
                            set category 140
                        next
                        edit 2
                            set category 141
                        next
                    end
            end
    next
end

config webfilter urlfilter
    edit 1
        set name "allow_facebook"
            config entries
                edit 1
                    set url "www.facebook.com"
                next
            end
    next
end

2) Create schedule time window.

config firewall schedule recurring
    edit "lunchtime"
        set start 12:55
        set end 13:55
        set day monday tuesday wednesday thursday friday
    next
end

3) Assign webfilter profile and schedule profile to a firewall policy and position it at the top.

4) Enable schedule-timeout option to force one-time schedule active session terminate while reach schedule stop time.

config firewall policy
    edit 2
        set srcintf "port9"
        set dstintf "mgmt1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "lunchtime"
        set schedule-timeout enable
        set service "ALL"
        set utm-status enable
        set av-profile "av-scan-flow"
        set webfilter-profile "allow_facebook"
        set ips-sensor "protect_client"
        set application-list "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
    edit 1
        set srcintf "port9"
        set dstintf "mgmt1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set av-profile "default"
        set webfilter-profile "default"
        set ips-sensor "protect_client"
        set application-list "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

Verification

# diag sys session list

session info: proto=6 proto_state=11 duration=0 expire=311 timeout=3600 flags=00000000 sockflag=00000000 sockport=80 av_idx=1 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=redir local may_dirty ndr hlife
statistic(bytes/packets/allow_err): org=754/4/1 reply=627/3/1 tuples=3
orgin->sink: org pre->post, reply pre->post dev=36->3/3->36 gwy=192.18.17.254/10.18.0.150
hook=post dir=org act=snat 10.18.0.150:39801->198.41.207.97:80(192.18.16.182:39801)
hook=pre dir=reply act=dnat 198.41.207.97:80->192.18.16.182:39801(10.18.0.150:39801)
hook=post dir=reply act=noop 198.41.207.97:80->10.18.0.150:39801(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00032bea tos=ff/ff ips_view=2 app_list=2001 app=0
dd_type=0 dd_mode=0
npu_state=0x000400