Web Filter

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter options.

Configuration		Description
Web Filter		Enable web filtering. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
General
Client Web Filtering When On-Net		Enable client web filtering when onnet. Only available for Windows and macOS profiles. This setting affects the Block Access to Malicious Websites setting in Malware Protection.
Log All URLs		Log all URLs. When this setting is disabled, FortiClient EMS only logs URLs as specified by per-category or per-URL settings.
Log User Initiated Traffic		Log only user-initiated traffic.
Show Bubble Notification When HTTPS Site Is Blocked		Show a bubble notification when Web Filter blocks an HTTPS site.
Enable Web Browser Plugin for HTTPS Web Filtering		Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. The web browser plugin is installed only for the Google Chrome browser on Windows platforms.
	Sync Mode	When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.
	Check User Initiated Traffic Only	Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.
Enable Safe Search		Enable Safe Search. When Safe Search is enabled, the endpoint's Google search is set to Restricted mode, and YouTube access is set to Strict Restricted access. To set YouTube access to Moderate Restricted or Unrestricted YouTube access, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.
Site Categories		Select to enable site categories from FortiGuard. When site categories are disabled, FortiClient is protected by the exclusion list. See the FortiGuard website for descriptions of the available categories and subcategories. For all categories below, you can configure an action for the entire site category by selecting one of the following: Block Warn Allow Monitor You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. Each site category's subcategories are listed below.
Adult/Mature Content		Abortion Advocacy Organizations Alcohol Alternative Beliefs Dating Gambling Lingerie and Swimsuit Marijuana Nudity and Risque Other Adult Materials Pornography Sex Education Sports Hunting and War Games Tobacco Weapons (Sales)
Bandwidth Consuming		File Sharing and Storage Freeware and Software Downloads Internet Radio and TV Internet Telephony Peer-to-peer File Sharing Streaming Media and Download
General Interest-Business		Armed Forces Business Charitable Organizations Finance and Banking General Organizations Government and Legal Organizations Information Technology Information and Computer Security Online Meeting Remote Access Search Engines and Portals Secure Websites Web Analytics Web Hosting Web-based Applications
General Interest-Personal		Advertising Arts and Culture Auction Brokerage and Trading Child Education Content Servers Digital Postcards Domain Parking Dynamic Content Education Entertainment Folklore Games Global Religion Health and Wellness Instant Messaging Job Search Meaningless Content Medicine News and Media Newsgroups and Message Boards Personal Privacy Personal Vehicles Personal Websites and Blogs Political Organizations Real Estate Reference Restaurant and Dining Shopping Social Networking Society and Lifestyles Sports Travel Web Chat Web-based Email
Potentially Liable		Child Abuse Discrimination Drug Abuse Explicit Violence Extremist Groups Hacking Illegal or Unethical Plagiarism Proxy Avoidance
Security Risk		Dynamic DNS Malicious Websites Newly Observed Domain Newly Registered Domain Phishing Spam URLs
Unrated
Rate IP Addresses		Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed. An example of how this would work would be if a URL's rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.
Allow websites when rating error occurs		Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are: Block: Deny access to any websites. This may prevent endpoints from accessing captive portals. Warn: Display in-browser warning to user, with an option to proceed to the website Allow: Allow full, unfiltered access to all websites Monitor: Log the site access
Exclusion List
Action		Select one of the following actions: Allow Block Monitor
URL		Enter specific URLs to allow, block, or monitor.
Type		Select one of the following types: Simple Wildcard Regular Expression Wildcard characters and Perl Compatible Regular Expressions (PCRE) can be used.

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter options.

Configuration		Description
Web Filter		Enable web filtering. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
General
Client Web Filtering When On-Net		Enable client web filtering when onnet. Only available for Windows and macOS profiles. This setting affects the Block Access to Malicious Websites setting in Malware Protection.
Log All URLs		Log all URLs. When this setting is disabled, FortiClient EMS only logs URLs as specified by per-category or per-URL settings.
Log User Initiated Traffic		Log only user-initiated traffic.
Show Bubble Notification When HTTPS Site Is Blocked		Show a bubble notification when Web Filter blocks an HTTPS site.
Enable Web Browser Plugin for HTTPS Web Filtering		Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. The web browser plugin is installed only for the Google Chrome browser on Windows platforms.
	Sync Mode	When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.
	Check User Initiated Traffic Only	Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.
Enable Safe Search		Enable Safe Search. When Safe Search is enabled, the endpoint's Google search is set to Restricted mode, and YouTube access is set to Strict Restricted access. To set YouTube access to Moderate Restricted or Unrestricted YouTube access, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.
Site Categories		Select to enable site categories from FortiGuard. When site categories are disabled, FortiClient is protected by the exclusion list. See the FortiGuard website for descriptions of the available categories and subcategories. For all categories below, you can configure an action for the entire site category by selecting one of the following: Block Warn Allow Monitor You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. Each site category's subcategories are listed below.
Adult/Mature Content		Abortion Advocacy Organizations Alcohol Alternative Beliefs Dating Gambling Lingerie and Swimsuit Marijuana Nudity and Risque Other Adult Materials Pornography Sex Education Sports Hunting and War Games Tobacco Weapons (Sales)
Bandwidth Consuming		File Sharing and Storage Freeware and Software Downloads Internet Radio and TV Internet Telephony Peer-to-peer File Sharing Streaming Media and Download
General Interest-Business		Armed Forces Business Charitable Organizations Finance and Banking General Organizations Government and Legal Organizations Information Technology Information and Computer Security Online Meeting Remote Access Search Engines and Portals Secure Websites Web Analytics Web Hosting Web-based Applications
General Interest-Personal		Advertising Arts and Culture Auction Brokerage and Trading Child Education Content Servers Digital Postcards Domain Parking Dynamic Content Education Entertainment Folklore Games Global Religion Health and Wellness Instant Messaging Job Search Meaningless Content Medicine News and Media Newsgroups and Message Boards Personal Privacy Personal Vehicles Personal Websites and Blogs Political Organizations Real Estate Reference Restaurant and Dining Shopping Social Networking Society and Lifestyles Sports Travel Web Chat Web-based Email
Potentially Liable		Child Abuse Discrimination Drug Abuse Explicit Violence Extremist Groups Hacking Illegal or Unethical Plagiarism Proxy Avoidance
Security Risk		Dynamic DNS Malicious Websites Newly Observed Domain Newly Registered Domain Phishing Spam URLs
Unrated
Rate IP Addresses		Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed. An example of how this would work would be if a URL's rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.
Allow websites when rating error occurs		Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are: Block: Deny access to any websites. This may prevent endpoints from accessing captive portals. Warn: Display in-browser warning to user, with an option to proceed to the website Allow: Allow full, unfiltered access to all websites Monitor: Log the site access
Exclusion List
Action		Select one of the following actions: Allow Block Monitor
URL		Enter specific URLs to allow, block, or monitor.
Type		Select one of the following types: Simple Wildcard Regular Expression Wildcard characters and Perl Compatible Regular Expressions (PCRE) can be used.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

Web Filter

Web Filter

Web Filter