Web Filter
Web Filter XML configurations are contained in the <webfilter></webfilter> tags.
There are two main sections:
- General options
- Profiles
Configuration elements that affect the whole of the web filtering service.
Defines one or more rules that are applied to network traffic.
<forticlient_configuration>
<webfilter>
<enable_filter>1</enable_filter>
<enabled>1</enabled>
<current_profile>0</current_profile>
<partial_match_host>0</partial_match_host>
<disable_when_managed>0</disable_when_managed>
<max_violations>250</max_violations>
<max_violations_age>7</max_violations_age>
<block_malicious_websites>1</block_malicious_websites>
<bypass_private_ip>1</bypass_private_ip>
<browser_read_time_threshold>180</browser_read_time_threshold>
<https_block_method>0</https_block_method>
<profiles>
<profile>
<id>999</id>
<use_exclusion_list>1</use_exclusion_list>
</profile>
<profile>
<id>0</id>
<cate_ver>6</cate_ver>
<description>deny</description>
<name>deny</name>
<temp_whitelist_timeout>300</temp_whitelist_timeout>
<log_all_urls>1</log_all_urls>
<log_user_initiated_traffic>1</log_user_initiated_traffic>
<categories>
<fortiguard>
<enabled>1</enabled>
<url>fgd1.fortigate.com</url>
<rate_ip_addresses>1</rate_ip_addresses>
<action_when_unavailable>deny</action_when_unavailable>
</fortiguard>
<category>
<id>1</id>
<action>deny</action>
</category>
<category>
<id>2</id>
<action>deny</action>
</category>
<category>
<id>3</id>
<action>deny</action>
</category>
<category>
<id>4</id>
<action>deny</action>
</category>
<category>
<id>5</id>
<action>deny</action>
</category>
</categories>
<urls>
<url>
<address>
<![CDATA[www.777.com]]>
</address>
<type>simple</type>
<action>deny</action>
</url>
<url>
<address>
<![CDATA[www.fortinet.com]]>
</address>
<type>simple</type>
<action>allow</action>
</url>
</urls>
<safe_search>
<enabled>0</enabled>
<search_engines>
<enabled>0</enabled>
</search_engines>
<youtube_education_filter>
<enabled>0</enabled>
<filter_id>
<![CDATA[]]>
</filter_id>
</youtube_education_filter>
</safe_search>
</profile>
</profiles>
</webfilter>
</forticlient_configuration>
The following table provides the XML tags for Web Filter, as well as the descriptions and default values where applicable.
|
XML Tag |
Description |
Default Value |
|---|---|---|
|
<enable_filter> |
Enable or disable Web Filtering. Boolean value: |
1 |
|
<enabled> |
Enable or disable FortiGuard querying service. Boolean value: |
1 |
|
<current_profile> |
Currently selected profile ID (optional). The default is 0 when FortiClient is standalone. If using the advanced configuration on the FortiGate (for Endpoint Control), set this to 1000. The value should always match the <profile><id> selected. |
|
|
<partial_match_host> |
A hostname that is a substring of the specified path is treated as a full match. Boolean value: |
0 |
|
<disable_when_managed> |
If set to 1 (true), Web Filtering is disabled when FortiClient is connected to a FortiGate using Endpoint Control. Boolean: |
|
|
<max_violations> |
Maximum number of violations stored at any one. A number from 250 to 5000. |
5000 |
|
<max_violation_age> |
Maximum age in days of a violation record before it is culled. A number from 1 to 90. |
90 |
|
<block_malicious_websites> |
Configure whether to block web sites with security risk categories (group 5). When this setting is Boolean: |
|
|
<bypass_private_ip> |
Enable or disable bypassing private IP addresses. This feature is enabled by default. Boolean: |
1 |
|
<browser_read_time_threshold> |
Configure the threshold in seconds for web browser to be considered idle. When a web browser is idle more than the threshold, the web browser is considered idle, and time is not calculated. |
90 |
|
<https_block_method> |
Control how FortiClient behaves when Web Filtering blocks an HTTPS site:
|
0 |
|
|
||
|
<url> |
IP address or FQDN of the FortiGuard server. |
fgd1.fortigate.com |
|
<enabled> |
Enable or disable use of FortiGuard servers. Boolean value: |
1 |
|
<rate_ip_addresses> |
Rate IP addresses. Boolean value: |
1 |
|
<action_when_unavailable> |
Configure the action to take with all websites when FortiGuard is temporarily unavailable. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:
|
deny |
|
|
||
|
<enabled> |
Enable or disable SafeSearch. Boolean value: |
|
|
|
||
|
<enabled> |
Enable or disable SafeSearch for the predefined search engines. Boolean value: |
|
The <profiles> XML element may have one or more profiles, defined in the <profile> tag. Each <profile>, in turn, has one or more <category>, <url> and <safe_search> tags, along with other elements.
The following table provides profile XML tags, the description, and the default value (where applicable).
|
XML Tag |
Description |
Default Value |
|---|---|---|
|
|
||
|
<id> |
Unique ID. A number to define the profile. |
|
|
<cate_ver> |
FortiGuard category version used in this profile. A number. |
6 |
|
<description> |
Summary describing this profile. |
|
|
<name> |
A descriptive name for the profile. |
|
|
<temp_whitelist_timeout> |
The duration, in seconds, of a bypass that is applied to a page that generated a warning, but for which the user selected continue. |
300 |
|
<log_all_urls> |
Configure whether to log all URLs. When this setting is Boolean value: |
|
|
<log_user_initiated_traffic> |
Configure what traffic to record. When this setting is Boolean value: |
|
|
|
||
|
<id> |
Unique ID. A number. The valid set of category IDs is predefined, and is listed in exported configuration files. |
|
|
<action> |
Action to perform on matching network traffic. Select one of the following:
|
|
|
|
||
|
<address> |
The web address in which <![CDATA[www.777.com]]> |
|
|
<action> |
Action to perform on matching network traffic. Select either: |
|
The <safe_search> element has two main components:
- Search engines
<search_engines> - YouTube education filter
<youtube_education_filter>
Users may define safe search parameters for each of the popular search engines: Bing and Yandex. Subsequent use of the engines for web searches have SafeSearch enabled.
Educational institutions with valid YouTube education ID can provide this in the <youtube_education_filter> element to restrict YouTube contents appropriately.
The following table provides profile XML tags and the description. See the <safe_search> listing in the previous pages for examples of each tag.
|
XML Tag |
Description |
Default Value |
|---|---|---|
|
|
||
|
<name> |
Name of the SafeSearch profile. |
|
|
<host> |
The FQDN of the search engine. FortiClient monitors attempts to visit this address. |
|
|
<url> |
The URL substring to match or monitor, along with the FQDN. |
|
|
<query> |
The query string appended to the URL. |
|
|
<safe_search_string> |
The correct safe search string appended to the URL for the specified engine. |
|
|
<cookie_name> |
The name of the cookie to send the search engine. |
|
|
<cookie_value> |
The cookie value to send the search engine. |
|
|
|
||
|
<enabled> |
Enable YouTube education filter. Boolean value: |
|
|
<filter_id> |
The institutions education identifier. |
|
Other than the <name> and <enabled> elements, the values for each of the elements in the previous table should be wrapped in <![CDATA[]]> XML tags. Here is an example for a <host> element taken from the <safe_search> listing.
<host><![CDATA[yandex\..*]]></host>
See Manage your YouTube settings for more information on YouTube for schools and the education filter.
The following is a list of all Web Filter categories including the category <id> and category name:
0 ==> Unrated
1 ==> Drug Abuse
2 ==> Alternative Beliefs
3 ==> Hacking
4 ==> Illegal or Unethical
5 ==> Discrimination
6 ==> Explicit Violence
7 ==> Abortion
8 ==> Other Adult Materials
9 ==> Advocacy Organizations
11 ==> Gambling
12 ==> Extremist Groups
13 ==> Nudity and Risque
14 ==> Pornography
15 ==> Dating
16 ==> Weapons (Sales)
17 ==> Advertising
18 ==> Brokerage and Trading
19 ==> Freeware and Software Downloads
20 ==> Games
23 ==> Web-based Email
24 ==> File Sharing and Storage
25 ==> Streaming Media and Download
26 ==> Malicious Websites
28 ==> Entertainment
29 ==> Arts and Culture
30 ==> Education
31 ==> Finance and Banking
33 ==> Health and Wellness
34 ==> Job Search
35 ==> Medicine
36 ==> News and Media
37 ==> Social Networking
38 ==> Political Organizations
39 ==> Reference
40 ==> Global Religion
41 ==> Search Engines and Portals
42 ==> Shopping
43 ==> General Organizations
44 ==> Society and Lifestyles
46 ==> Sports
47 ==> Travel
48 ==> Personal Vehicles
49 ==> Business
50 ==> Information and Computer Security
51 ==> Government and Legal Organizations
52 ==> Information Technology
53 ==> Armed Forces
54 ==> Dynamic Content
55 ==> Meaningless Content
56 ==> Web Hosting
57 ==> Marijuana
58 ==> Folklore
59 ==> Proxy Avoidance
61 ==> Phishing
62 ==> Plagiarism
63 ==> Sex Education
64 ==> Alcohol
65 ==> Tobacco
66 ==> Lingerie and Swimsuit
67 ==> Sports Hunting and War Games
68 ==> Web Chat
69 ==> Instant Messaging
70 ==> Newsgroups and Message Boards
71 ==> Digital Postcards
72 ==> Peer-to-peer File Sharing
75 ==> Internet Radio and TV
76 ==> Internet Telephony
77 ==> Child Education
78 ==> Real Estate
79 ==> Restaurant and Dining
80 ==> Personal Websites and Blogs
81 ==> Secure Websites
82 ==> Content Servers
83 ==> Child Abuse
84 ==> Web-based Applications
85 ==> Domain Parking
86 ==> Spam URLs
88 ==> Dynamic DNS
89 ==> Auction
90 ==> Newly Observed Domain
91 ==> Newly Registered Domain
92 ==> Charitable Organizations
93 ==> Remote Access
94 ==> Web Analytics
95 ==> Online Meeting