05-03-2021 06:49 PM
Due to the pandemic, our District’s highschools are moving to a paperless ticketing system for High School games. A 410C access point was mounted on the outside of the ticketing booth - I am trying to create a network that allows parents to connect to the internet but only allow access to ONE specific site (the ticketing site - gofan.co).
I am having some trouble accomplishing this through the IP Firewall Policies and wanted to reach out here to see if anyone had some ideas.
We currently have FortiNAC deployed which typically allows guest registration on a normal basis, but to avoid any registration issues during games when IT may not be available, I created a separate SSID for the ticketing booth with a simple PSK that parents will be able to connect to easily while in line. I have the user profile dropping clients on the same VLAN our normal guest connect to but wouldn’t be opposed to create a new VLAN for the ticketing site if that would make the desired result easier to achieve. Thanks for your time in advance and for any ideas you may share.
Matt
Solved! Go to Solution.
05-03-2021 08:15 PM
Thank you for letting me know. I ran this past some XIQ technicians and they confirmed that is all we should have to do, but we would need to narrow down the IP scope the site is using to do this effectively.
They recommended using a content filter for this instead, partially due to needing the IP scope, and partially because the APs will slow down significantly if they have to do any heavy filtering, and blocking all traffic minus one site is potentially heavy filtering. I’m sorry I don’t have better news for you here, but you are setting it up correctly.
05-03-2021 07:24 PM
Yeah - I am getting different results here:
I can try to reference the IP address above in the firewall policy but I think the IP address will change...I am not sure how many IPs the site actually has….I don’t know a way to capture them all with one object other than being able to reference the hostname / URL itself.
05-03-2021 07:19 PM
I just pinged gofan.co from my AP230, but you might be able to get a better idea of the IP scope for that site from a packet capture?
05-03-2021 07:17 PM
Hi Sam,
Thanks for the quick reply - I had created an IP Firewall Policy very similar to the one you shared; See the attached photo. The only difference is that I created a HOSTNAME object pointing to “gofan.co” and referenced that object in my FW Policy….That didn’t work for me (obviously lol). When I tried to resolved the IP address of gofan.co, I only saw 54.206.XXX.XXX addresses and figured that was an AWS link and it would have the possibility of changing so I didn’t think to reference that IP. Where did you get the 13.226.93.113 address from? Thanks in advance!
05-03-2021 07:06 PM
Hi Matt, I’d recommend creating a user profile IP firewall policy along these lines:
This is a variation of the guest internet access only default IP firewall object. The rules are applied to any traffic from the top down, so this firewall will allow DHCP traffic, allow DNS traffic, deny any internal network address request, allow access to gofan.co (13.226.93.113), and deny all other requests for traffic destinations.
You don’t have to create a new VLAN for this traffic if you don’t want to, the rules will still apply to any traffic coming through that SSID and others on the same VLAN will not be effected. Is that what you were looking for?