config webfilter profile

Configure Web filter profiles.

Syntax

config webfilter profile
    edit <name>
        set comment {var-string}
        set extended-log [enable|disable]
        config ftgd-wf
            Description: FortiGuard Web Filter settings.
            set exempt-quota {user}
            config filters
                Description: FortiGuard filters.
                edit <id>
                    set action [block|authenticate|...]
                    set auth-usr-grp <name1>, <name2>, ...
                    set category {integer}
                    set log [enable|disable]
                    set override-replacemsg {string}
                    set warn-duration {user}
                    set warning-duration-type [session|timeout]
                    set warning-prompt [per-domain|per-category]
                next
            end
            set max-quota-timeout {integer}
            set options {option1}, {option2}, ...
            set ovrd {user}
            config quota
                Description: FortiGuard traffic quota settings.
                edit <id>
                    set category {user}
                    set duration {user}
                    set override-replacemsg {string}
                    set type [time|traffic]
                    set unit [B|KB|...]
                    set value {integer}
                next
            end
            set rate-crl-urls [disable|enable]
            set rate-css-urls [disable|enable]
            set rate-javascript-urls [disable|enable]
        end
        set https-replacemsg [enable|disable]
        set log-all-url [enable|disable]
        set options {option1}, {option2}, ...
        config override
            Description: Web Filter override settings.
            set ovrd-cookie [allow|deny]
            set ovrd-dur {user}
            set ovrd-dur-mode [constant|ask]
            set ovrd-scope [user|user-group|...]
            set ovrd-user-group <name1>, <name2>, ...
            set profile <name1>, <name2>, ...
            set profile-attribute [User-Name|NAS-IP-Address|...]
            set profile-type [list|radius]
        end
        set post-action [normal|block]
        set replacemsg-group {string}
        config web
            Description: Web content filtering settings.
            set bword-table {integer}
            set bword-threshold {integer}
            set content-header-list {integer}
            set urlfilter-table {integer}
        end
        set web-content-log [enable|disable]
        set web-filter-command-block-log [enable|disable]
        set web-filter-cookie-log [enable|disable]
        set web-ftgd-err-log [enable|disable]
        set web-ftgd-quota-usage [enable|disable]
        set web-invalid-domain-log [enable|disable]
        set web-url-log [enable|disable]
    next
end

Parameters

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

extended-log

Enable/disable extended logging for web filtering.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

https-replacemsg

Enable replacement messages for HTTPS.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

log-all-url

Enable/disable logging all URLs visited.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

name

Profile name.

string

Maximum length: 35

options

Options.

option

Option	Description
activexfilter	ActiveX filter.
cookiefilter	Cookie filter.
javafilter	Java applet filter.
block-invalid-url	Block sessions contained an invalid domain name.
jscript	Javascript block.
js	JS block.
vbs	VB script block.
unknown	Unknown script block.
intrinsic	Intrinsic script block.
wf-referer	Referring block.
wf-cookie	Cookie block.

post-action

Action taken for HTTP POST traffic.

option

normal

Option	Description
normal	Normal, POST requests are allowed.
block	POST requests are blocked.

replacemsg-group

Replacement message group.

string

Maximum length: 35

web-content-log

Enable/disable logging logging blocked web content.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-filter-command-block-log

Enable/disable logging blocked commands.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-filter-cookie-log

Enable/disable logging cookie filtering.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-ftgd-err-log

Enable/disable logging rating errors.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-ftgd-quota-usage

Enable/disable logging daily quota usage.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-invalid-domain-log

Enable/disable logging invalid domain names.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-url-log

Enable/disable logging URL filtering.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

config ftgd-wf

Parameter

Description

Type

Size

Default

exempt-quota

Do not stop quota for these categories.

user

Not Specified

max-quota-timeout

Maximum FortiGuard quota used by single page view in seconds (excludes streams).

integer

Minimum value: 1 Maximum value: 86400

300

options

Options for FortiGuard Web Filter.

option

Option	Description
error-allow	Allow web pages with a rating error to pass through.
rate-server-ip	Rate the server IP in addition to the domain name.
connect-request-bypass	Bypass connection which has CONNECT request.
ftgd-disable	Disable FortiGuard scanning.

ovrd

Allow web filter profile overrides.

user

Not Specified

rate-crl-urls

Enable/disable rating CRL by URL.

option

enable

Option	Description
disable	Disable rating CRL by URL.
enable	Enable rating CRL by URL.

rate-css-urls

Enable/disable rating CSS by URL.

option

enable

Option	Description
disable	Disable rating CSS by URL.
enable	Enable rating CSS by URL.

rate-javascript-urls

Enable/disable rating JavaScript by URL.

option

enable

Option	Description
disable	Disable rating JavaScript by URL.
enable	Enable rating JavaScript by URL.

config filters

Parameter

Description

Type

Size

Default

action

Action to take for matches.

option

monitor

Option	Description
block	Block access.
authenticate	Authenticate user before allowing access.
monitor	Allow access while logging the action.
warning	Allow access after warning the user.

auth-usr-grp <name>

Groups with permission to authenticate.

User group name.

string

Maximum length: 79

category

Categories and groups the filter examines.

integer

Minimum value: 0 Maximum value: 255

ID number.

integer

Minimum value: 0 Maximum value: 255

log

Enable/disable logging.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

override-replacemsg

Override replacement message.

string

Maximum length: 28

warn-duration

Duration of warnings.

user

Not Specified

warning-duration-type

Re-display warning after closing browser or after a timeout.

option

timeout

Option	Description
session	After session ends.
timeout	After timeout occurs.

warning-prompt

Warning prompts in each category or each domain.

option

per-category

Option	Description
per-domain	Per-domain warnings.
per-category	Per-category warnings.

config quota

Parameter

Description

Type

Size

Default

category

FortiGuard categories to apply quota to (category action must be set to monitor).

user

Not Specified

duration

Duration of quota.

user

Not Specified

ID number.

integer

Minimum value: 0 Maximum value: 4294967295

override-replacemsg

Override replacement message.

string

Maximum length: 28

type

Quota type.

option

time

Option	Description
time	Use a time-based quota.
traffic	Use a traffic-based quota.

unit

Traffic quota unit of measurement.

option

Option	Description
B	Quota in bytes.
KB	Quota in kilobytes.
MB	Quota in megabytes.
GB	Quota in gigabytes.

value

Traffic quota value.

integer

Minimum value: 1 Maximum value: 4294967295

1024

config override

Parameter

Description

Type

Size

Default

ovrd-cookie

Allow/deny browser-based (cookie) overrides.

option

deny

Option	Description
allow	Allow browser-based (cookie) override.
deny	Deny browser-based (cookie) override.

ovrd-dur

Override duration.

user

Not Specified

15m

ovrd-dur-mode

Override duration mode.

option

constant

Option	Description
constant	Constant mode.
ask	Prompt for duration when initiating an override.

ovrd-scope

Override scope.

option

user

Option	Description
user	Override for the user.
user-group	Override for the user's group.
ip	Override for the initiating IP.
browser	Create browser-based (cookie) override.
ask	Prompt for scope when initiating an override.

ovrd-user-group <name>

User groups with permission to use the override.

User group name.

string

Maximum length: 79

profile <name>

Web filter profile with permission to create overrides.

Web profile.

string

Maximum length: 79

profile-attribute

Profile attribute to retrieve from the RADIUS server.

option

Option	Description
User-Name	Use this attribute.
NAS-IP-Address	Use this attribute.
Framed-IP-Address	Use this attribute.
Framed-IP-Netmask	Use this attribute.
Filter-Id	Use this attribute.
Login-IP-Host	Use this attribute.
Reply-Message	Use this attribute.
Callback-Number	Use this attribute.
Callback-Id	Use this attribute.
Framed-Route	Use this attribute.
Framed-IPX-Network	Use this attribute.
Class	Use this attribute.
Called-Station-Id	Use this attribute.
Calling-Station-Id	Use this attribute.
NAS-Identifier	Use this attribute.
Proxy-State	Use this attribute.
Login-LAT-Service	Use this attribute.
Login-LAT-Node	Use this attribute.
Login-LAT-Group	Use this attribute.
Framed-AppleTalk-Zone	Use this attribute.
Acct-Session-Id	Use this attribute.
Acct-Multi-Session-Id	Use this attribute.

profile-type

Override profile type.

option

list

Option	Description
list	Profile chosen from list.
radius	Profile determined by RADIUS server.

config web

Parameter	Description	Type	Size	Default
bword-table	Banned word table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
bword-threshold	Banned word score threshold.	integer	Minimum value: 0 Maximum value: 2147483647	10
content-header-list	Content header list.	integer	Minimum value: 0 Maximum value: 4294967295	0
urlfilter-table	URL filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

config webfilter profile

Configure Web filter profiles.

Syntax

config webfilter profile
    edit <name>
        set comment {var-string}
        set extended-log [enable|disable]
        config ftgd-wf
            Description: FortiGuard Web Filter settings.
            set exempt-quota {user}
            config filters
                Description: FortiGuard filters.
                edit <id>
                    set action [block|authenticate|...]
                    set auth-usr-grp <name1>, <name2>, ...
                    set category {integer}
                    set log [enable|disable]
                    set override-replacemsg {string}
                    set warn-duration {user}
                    set warning-duration-type [session|timeout]
                    set warning-prompt [per-domain|per-category]
                next
            end
            set max-quota-timeout {integer}
            set options {option1}, {option2}, ...
            set ovrd {user}
            config quota
                Description: FortiGuard traffic quota settings.
                edit <id>
                    set category {user}
                    set duration {user}
                    set override-replacemsg {string}
                    set type [time|traffic]
                    set unit [B|KB|...]
                    set value {integer}
                next
            end
            set rate-crl-urls [disable|enable]
            set rate-css-urls [disable|enable]
            set rate-javascript-urls [disable|enable]
        end
        set https-replacemsg [enable|disable]
        set log-all-url [enable|disable]
        set options {option1}, {option2}, ...
        config override
            Description: Web Filter override settings.
            set ovrd-cookie [allow|deny]
            set ovrd-dur {user}
            set ovrd-dur-mode [constant|ask]
            set ovrd-scope [user|user-group|...]
            set ovrd-user-group <name1>, <name2>, ...
            set profile <name1>, <name2>, ...
            set profile-attribute [User-Name|NAS-IP-Address|...]
            set profile-type [list|radius]
        end
        set post-action [normal|block]
        set replacemsg-group {string}
        config web
            Description: Web content filtering settings.
            set bword-table {integer}
            set bword-threshold {integer}
            set content-header-list {integer}
            set urlfilter-table {integer}
        end
        set web-content-log [enable|disable]
        set web-filter-command-block-log [enable|disable]
        set web-filter-cookie-log [enable|disable]
        set web-ftgd-err-log [enable|disable]
        set web-ftgd-quota-usage [enable|disable]
        set web-invalid-domain-log [enable|disable]
        set web-url-log [enable|disable]
    next
end

Parameters

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

extended-log

Enable/disable extended logging for web filtering.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

https-replacemsg

Enable replacement messages for HTTPS.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

log-all-url

Enable/disable logging all URLs visited.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

name

Profile name.

string

Maximum length: 35

options

Options.

option

Option	Description
activexfilter	ActiveX filter.
cookiefilter	Cookie filter.
javafilter	Java applet filter.
block-invalid-url	Block sessions contained an invalid domain name.
jscript	Javascript block.
js	JS block.
vbs	VB script block.
unknown	Unknown script block.
intrinsic	Intrinsic script block.
wf-referer	Referring block.
wf-cookie	Cookie block.

post-action

Action taken for HTTP POST traffic.

option

normal

Option	Description
normal	Normal, POST requests are allowed.
block	POST requests are blocked.

replacemsg-group

Replacement message group.

string

Maximum length: 35

web-content-log

Enable/disable logging logging blocked web content.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-filter-command-block-log

Enable/disable logging blocked commands.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-filter-cookie-log

Enable/disable logging cookie filtering.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-ftgd-err-log

Enable/disable logging rating errors.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-ftgd-quota-usage

Enable/disable logging daily quota usage.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-invalid-domain-log

Enable/disable logging invalid domain names.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

web-url-log

Enable/disable logging URL filtering.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

config ftgd-wf

Parameter

Description

Type

Size

Default

exempt-quota

Do not stop quota for these categories.

user

Not Specified

max-quota-timeout

Maximum FortiGuard quota used by single page view in seconds (excludes streams).

integer

Minimum value: 1 Maximum value: 86400

300

options

Options for FortiGuard Web Filter.

option

Option	Description
error-allow	Allow web pages with a rating error to pass through.
rate-server-ip	Rate the server IP in addition to the domain name.
connect-request-bypass	Bypass connection which has CONNECT request.
ftgd-disable	Disable FortiGuard scanning.

ovrd

Allow web filter profile overrides.

user

Not Specified

rate-crl-urls

Enable/disable rating CRL by URL.

option

enable

Option	Description
disable	Disable rating CRL by URL.
enable	Enable rating CRL by URL.

rate-css-urls

Enable/disable rating CSS by URL.

option

enable

Option	Description
disable	Disable rating CSS by URL.
enable	Enable rating CSS by URL.

rate-javascript-urls

Enable/disable rating JavaScript by URL.

option

enable

Option	Description
disable	Disable rating JavaScript by URL.
enable	Enable rating JavaScript by URL.

config filters

Parameter

Description

Type

Size

Default

action

Action to take for matches.

option

monitor

Option	Description
block	Block access.
authenticate	Authenticate user before allowing access.
monitor	Allow access while logging the action.
warning	Allow access after warning the user.

auth-usr-grp <name>

Groups with permission to authenticate.

User group name.

string

Maximum length: 79

category

Categories and groups the filter examines.

integer

Minimum value: 0 Maximum value: 255

ID number.

integer

Minimum value: 0 Maximum value: 255

log

Enable/disable logging.

option

enable

Option	Description
enable	Enable setting.
disable	Disable setting.

override-replacemsg

Override replacement message.

string

Maximum length: 28

warn-duration

Duration of warnings.

user

Not Specified

warning-duration-type

Re-display warning after closing browser or after a timeout.

option

timeout

Option	Description
session	After session ends.
timeout	After timeout occurs.

warning-prompt

Warning prompts in each category or each domain.

option

per-category

Option	Description
per-domain	Per-domain warnings.
per-category	Per-category warnings.

config quota

Parameter

Description

Type

Size

Default

category

FortiGuard categories to apply quota to (category action must be set to monitor).

user

Not Specified

duration

Duration of quota.

user

Not Specified

ID number.

integer

Minimum value: 0 Maximum value: 4294967295

override-replacemsg

Override replacement message.

string

Maximum length: 28

type

Quota type.

option

time

Option	Description
time	Use a time-based quota.
traffic	Use a traffic-based quota.

unit

Traffic quota unit of measurement.

option

Option	Description
B	Quota in bytes.
KB	Quota in kilobytes.
MB	Quota in megabytes.
GB	Quota in gigabytes.

value

Traffic quota value.

integer

Minimum value: 1 Maximum value: 4294967295

1024

config override

Parameter

Description

Type

Size

Default

ovrd-cookie

Allow/deny browser-based (cookie) overrides.

option

deny

Option	Description
allow	Allow browser-based (cookie) override.
deny	Deny browser-based (cookie) override.

ovrd-dur

Override duration.

user

Not Specified

15m

ovrd-dur-mode

Override duration mode.

option

constant

Option	Description
constant	Constant mode.
ask	Prompt for duration when initiating an override.

ovrd-scope

Override scope.

option

user

Option	Description
user	Override for the user.
user-group	Override for the user's group.
ip	Override for the initiating IP.
browser	Create browser-based (cookie) override.
ask	Prompt for scope when initiating an override.

ovrd-user-group <name>

User groups with permission to use the override.

User group name.

string

Maximum length: 79

profile <name>

Web filter profile with permission to create overrides.

Web profile.

string

Maximum length: 79

profile-attribute

Profile attribute to retrieve from the RADIUS server.

option

Option	Description
User-Name	Use this attribute.
NAS-IP-Address	Use this attribute.
Framed-IP-Address	Use this attribute.
Framed-IP-Netmask	Use this attribute.
Filter-Id	Use this attribute.
Login-IP-Host	Use this attribute.
Reply-Message	Use this attribute.
Callback-Number	Use this attribute.
Callback-Id	Use this attribute.
Framed-Route	Use this attribute.
Framed-IPX-Network	Use this attribute.
Class	Use this attribute.
Called-Station-Id	Use this attribute.
Calling-Station-Id	Use this attribute.
NAS-Identifier	Use this attribute.
Proxy-State	Use this attribute.
Login-LAT-Service	Use this attribute.
Login-LAT-Node	Use this attribute.
Login-LAT-Group	Use this attribute.
Framed-AppleTalk-Zone	Use this attribute.
Acct-Session-Id	Use this attribute.
Acct-Multi-Session-Id	Use this attribute.

profile-type

Override profile type.

option

list

Option	Description
list	Profile chosen from list.
radius	Profile determined by RADIUS server.

config web

Parameter	Description	Type	Size	Default
bword-table	Banned word table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
bword-threshold	Banned word score threshold.	integer	Minimum value: 0 Maximum value: 2147483647	10
content-header-list	Content header list.	integer	Minimum value: 0 Maximum value: 4294967295	0
urlfilter-table	URL filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config webfilter profile

config webfilter profile

Syntax

Parameters

config ftgd-wf

config filters

config quota

config override

config web

config webfilter profile

config webfilter profile