Fortinet white logo
Fortinet white logo

EMS Administration Guide

Web Filter

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use Web Filter options.

Configuration

Description

Web Filter

Enable web filtering.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Scheduling

Enable to have Web Filter settings only take effect during the configured schedule. This feature functions based on the system time in EMS. Time changes on the endpoint do not affect this feature.

Days of Week

From the dropdown list, select the days of the week for the schedule.

All Day

If desired, enable All Day to schedule Web Filter settings to take effect all day long on the selected days of the week.

Start At

Select the desired time for the Web Filter settings to start on the selected days of the week. This option is unavailable if you select All Day.

End At

Select the desired time for the Web Filter settings to end on the selected days of the week. This option is unavailable if you select All Day.

Fallback Action

Select the desired action for Web Filter to take for web traffic outside of the scheduled times.

  • When you configure Fallback Action as Allow, FortiClient allows all web access on the endpoint, including categories that Web Filter is set to block during the schedule timeframe.

  • When you configure Fallback Action as Block, FortiClient blocks all web access on the endpoint, excluding URLs that you have configured to be allowed in the blocklist.

General

Enable WebFiltering on FortiClient

Select Always On to enable client web filtering when on-fabric.

Select Only When Endpoint is Off-Fabric to enable Web Filter on endpoints only when the endpoint is considered off-Fabric. See On-fabric Detection Rules.

Log All URLs

Log all URLs. When this setting is disabled, FortiClient only logs URLs as specified by per-category or per-URL settings. FortiClient only logs these logs locally or sends them to FortiAnalyzer if configured.

Log User Initiated Traffic

Log only user-initiated traffic.

Action On HTTPS Site Blocking

  • Display In-Browser Message
  • Fail Connection & Show Bubble Notification
  • Fail Connection

Enable Web Browser Plugin for HTTPS Web Filtering

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. EMS only installs the web browser plugin for the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on Windows platforms.

Sync Mode

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

Check User Initiated Traffic Only

Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.

Enable Safe Search

For Windows endpoints and Chromebooks, when enabling Safe Search, you can configure the Restriction Level to Strict or Moderate. This setting affects the content that endpoint users can access via YouTube and search engine, including Google and Bing. For Chromebooks, to set YouTube access to Unrestricted, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.

For macOS endpoints, enabling Safe Search sets the endpoint's Google search to Restricted mode and YouTube access to Strict Restricted access.

Enabling Safe Search adds records, including Yandex.ru, to the client device's hosts file in order to redirect search engine requests.

You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is enabled on both profiles, the more restrictive settings are applied to YouTube.

Enable HTTPS Deep Inspection

Toggle to enable or disable HTTPS deep inspection on FortiClient (macOS) and (Linux) endpoints. When HTTPS deep inspection is enabled, FortiClient can proxy HTTPS requests and rate whole HTTPS URL requests. Otherwise, FCT can only rate domain URLs for HTTPS requests.

Site Categories

Enable site categories from FortiGuard. When you disable site categories, the exclusion list protects FortiClient.

See the FortiGuard website for descriptions of the available categories and subcategories.

For all categories, you can configure an action for the entire site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The following lists each site category's subcategories.

Adult/Mature Content

  • Abortion
  • Advocacy Organizations
  • Alcohol
  • Alternative Beliefs
  • Dating
  • Gambling
  • Lingerie and Swimsuit
  • Marijuana
  • Nudity and Risque
  • Other Adult Materials
  • Pornography
  • Sex Education
  • Sports Hunting and War Games
  • Tobacco
  • Weapons (Sales)

Bandwidth Consuming

  • File Sharing and Storage
  • Freeware and Software Downloads
  • Internet Radio and TV
  • Internet Telephony
  • Peer-to-peer File Sharing
  • Streaming Media and Download

General Interest-Business

  • Armed Forces
  • Business
  • Charitable Organizations
  • Finance and Banking
  • General Organizations
  • Government and Legal Organizations
  • Information Technology
  • Information and Computer Security
  • Online Meeting
  • Remote Access
  • Search Engines and Portals
  • Secure Websites
  • Web Analytics
  • Web Hosting
  • Web-based Applications

General Interest-Personal

  • Advertising
  • Arts and Culture
  • Auction
  • Brokerage and Trading
  • Child Education
  • Content Servers
  • Digital Postcards
  • Domain Parking
  • Dynamic Content
  • Education
  • Entertainment
  • Folklore
  • Games
  • Global Religion
  • Health and Wellness
  • Instant Messaging
  • Job Search
  • Meaningless Content
  • Medicine
  • News and Media
  • Newsgroups and Message Boards
  • Personal Privacy
  • Personal Vehicles
  • Personal Websites and Blogs
  • Political Organizations
  • Real Estate
  • Reference
  • Restaurant and Dining
  • Shopping
  • Social Networking
  • Society and Lifestyles
  • Sports
  • Travel
  • Web Chat
  • Web-based Email

Potentially Liable

  • Child Sexual Abuse
  • Crypto Mining
  • Discrimination
  • Drug Abuse
  • Explicit Violence
  • Extremist Groups
  • Hacking
  • Illegal or Unethical
  • Plagiarism
  • Potentially Unwanted Program
  • Proxy Avoidance
  • Terrorism

Security Risk

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs
Unrated

Sites that FortiGuard categorizes as unrated.

If FortiClient receives an unrated IP address for specific cloud applications that FortiGuard categorizes as unrated, it may use the Internet Service Database (ISDB) as a backup. You can expand the Unrated category for cloud applications, and click Add to configure an action for selected cloud applications using ISDB. In the Add Cloud Application dialog, select the desired cloud application, configure the desired action, then click Add.

Rate IP Addresses

Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category takes precedence in determining the action. This has the side effect that sometimes the action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this works is if a URL's rating based on the domain name indicates that it belongs in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight, the effective action is Block.

Use HTTPS Rating Server

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Allow websites when rating error occurs

Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:

  • Block: Deny access to any websites. This may prevent endpoints from accessing captive portals.
  • Warn: Display in-browser warning to user, with an option to proceed to the website
  • Allow: Allow full, unfiltered access to all websites
  • Monitor: Log the site access

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for URL ratings.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: fgd1.fortigate.com

    • U.S.: usfgd1.fortigate.com

  • FortiGuard Anycast:

    • Global: fctguard.fortinet.net

    • U.S.: fctusguard.fortinet.net

    • Europe: fcteuguard.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Keyword Scanning on Search Engine

Use rating categories from FortiGuard to allow, block, or monitor searches for certain terms. This feature is only available for Chromebooks.

Banned Word Search

Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:

  • Violence/Terrorism
  • Extremist
  • Pornography
  • Cyber Bullying
  • Self Harm

Custom Banned Words

Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On.

You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.

The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.

Exclusion List

Adding more than 1000 exclusions is not recommended and can cause EMS instability.

Action

Select one of the following actions:

  • Allow
  • Block
  • Monitor

URL

Enter specific URLs to allow, block, or monitor. You can provide the full URL or only the domain name.

Referrer/Host

Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name.

If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action.

If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action.

This option is only available for Chromebooks.

Type

Select one of the following types:

  • Simple
  • Wildcard
  • Regular Expression

You can use wildcard characters and Perl Compatible Regular Expressions.

This field only applies to the value in the URL field and does not apply to the value in the Referrer/Host field.

Move this rule up/Move this rule down

Move the exclusion rule up or down in the list. If multiple exclusion rules are applicable, EMS applies the first applicable exclusion rule.

Web Filter

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use Web Filter options.

Configuration

Description

Web Filter

Enable web filtering.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Scheduling

Enable to have Web Filter settings only take effect during the configured schedule. This feature functions based on the system time in EMS. Time changes on the endpoint do not affect this feature.

Days of Week

From the dropdown list, select the days of the week for the schedule.

All Day

If desired, enable All Day to schedule Web Filter settings to take effect all day long on the selected days of the week.

Start At

Select the desired time for the Web Filter settings to start on the selected days of the week. This option is unavailable if you select All Day.

End At

Select the desired time for the Web Filter settings to end on the selected days of the week. This option is unavailable if you select All Day.

Fallback Action

Select the desired action for Web Filter to take for web traffic outside of the scheduled times.

  • When you configure Fallback Action as Allow, FortiClient allows all web access on the endpoint, including categories that Web Filter is set to block during the schedule timeframe.

  • When you configure Fallback Action as Block, FortiClient blocks all web access on the endpoint, excluding URLs that you have configured to be allowed in the blocklist.

General

Enable WebFiltering on FortiClient

Select Always On to enable client web filtering when on-fabric.

Select Only When Endpoint is Off-Fabric to enable Web Filter on endpoints only when the endpoint is considered off-Fabric. See On-fabric Detection Rules.

Log All URLs

Log all URLs. When this setting is disabled, FortiClient only logs URLs as specified by per-category or per-URL settings. FortiClient only logs these logs locally or sends them to FortiAnalyzer if configured.

Log User Initiated Traffic

Log only user-initiated traffic.

Action On HTTPS Site Blocking

  • Display In-Browser Message
  • Fail Connection & Show Bubble Notification
  • Fail Connection

Enable Web Browser Plugin for HTTPS Web Filtering

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. EMS only installs the web browser plugin for the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on Windows platforms.

Sync Mode

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

Check User Initiated Traffic Only

Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.

Enable Safe Search

For Windows endpoints and Chromebooks, when enabling Safe Search, you can configure the Restriction Level to Strict or Moderate. This setting affects the content that endpoint users can access via YouTube and search engine, including Google and Bing. For Chromebooks, to set YouTube access to Unrestricted, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.

For macOS endpoints, enabling Safe Search sets the endpoint's Google search to Restricted mode and YouTube access to Strict Restricted access.

Enabling Safe Search adds records, including Yandex.ru, to the client device's hosts file in order to redirect search engine requests.

You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is enabled on both profiles, the more restrictive settings are applied to YouTube.

Enable HTTPS Deep Inspection

Toggle to enable or disable HTTPS deep inspection on FortiClient (macOS) and (Linux) endpoints. When HTTPS deep inspection is enabled, FortiClient can proxy HTTPS requests and rate whole HTTPS URL requests. Otherwise, FCT can only rate domain URLs for HTTPS requests.

Site Categories

Enable site categories from FortiGuard. When you disable site categories, the exclusion list protects FortiClient.

See the FortiGuard website for descriptions of the available categories and subcategories.

For all categories, you can configure an action for the entire site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The following lists each site category's subcategories.

Adult/Mature Content

  • Abortion
  • Advocacy Organizations
  • Alcohol
  • Alternative Beliefs
  • Dating
  • Gambling
  • Lingerie and Swimsuit
  • Marijuana
  • Nudity and Risque
  • Other Adult Materials
  • Pornography
  • Sex Education
  • Sports Hunting and War Games
  • Tobacco
  • Weapons (Sales)

Bandwidth Consuming

  • File Sharing and Storage
  • Freeware and Software Downloads
  • Internet Radio and TV
  • Internet Telephony
  • Peer-to-peer File Sharing
  • Streaming Media and Download

General Interest-Business

  • Armed Forces
  • Business
  • Charitable Organizations
  • Finance and Banking
  • General Organizations
  • Government and Legal Organizations
  • Information Technology
  • Information and Computer Security
  • Online Meeting
  • Remote Access
  • Search Engines and Portals
  • Secure Websites
  • Web Analytics
  • Web Hosting
  • Web-based Applications

General Interest-Personal

  • Advertising
  • Arts and Culture
  • Auction
  • Brokerage and Trading
  • Child Education
  • Content Servers
  • Digital Postcards
  • Domain Parking
  • Dynamic Content
  • Education
  • Entertainment
  • Folklore
  • Games
  • Global Religion
  • Health and Wellness
  • Instant Messaging
  • Job Search
  • Meaningless Content
  • Medicine
  • News and Media
  • Newsgroups and Message Boards
  • Personal Privacy
  • Personal Vehicles
  • Personal Websites and Blogs
  • Political Organizations
  • Real Estate
  • Reference
  • Restaurant and Dining
  • Shopping
  • Social Networking
  • Society and Lifestyles
  • Sports
  • Travel
  • Web Chat
  • Web-based Email

Potentially Liable

  • Child Sexual Abuse
  • Crypto Mining
  • Discrimination
  • Drug Abuse
  • Explicit Violence
  • Extremist Groups
  • Hacking
  • Illegal or Unethical
  • Plagiarism
  • Potentially Unwanted Program
  • Proxy Avoidance
  • Terrorism

Security Risk

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs
Unrated

Sites that FortiGuard categorizes as unrated.

If FortiClient receives an unrated IP address for specific cloud applications that FortiGuard categorizes as unrated, it may use the Internet Service Database (ISDB) as a backup. You can expand the Unrated category for cloud applications, and click Add to configure an action for selected cloud applications using ISDB. In the Add Cloud Application dialog, select the desired cloud application, configure the desired action, then click Add.

Rate IP Addresses

Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category takes precedence in determining the action. This has the side effect that sometimes the action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this works is if a URL's rating based on the domain name indicates that it belongs in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight, the effective action is Block.

Use HTTPS Rating Server

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Allow websites when rating error occurs

Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:

  • Block: Deny access to any websites. This may prevent endpoints from accessing captive portals.
  • Warn: Display in-browser warning to user, with an option to proceed to the website
  • Allow: Allow full, unfiltered access to all websites
  • Monitor: Log the site access

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for URL ratings.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: fgd1.fortigate.com

    • U.S.: usfgd1.fortigate.com

  • FortiGuard Anycast:

    • Global: fctguard.fortinet.net

    • U.S.: fctusguard.fortinet.net

    • Europe: fcteuguard.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Keyword Scanning on Search Engine

Use rating categories from FortiGuard to allow, block, or monitor searches for certain terms. This feature is only available for Chromebooks.

Banned Word Search

Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:

  • Violence/Terrorism
  • Extremist
  • Pornography
  • Cyber Bullying
  • Self Harm

Custom Banned Words

Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On.

You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.

The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.

Exclusion List

Adding more than 1000 exclusions is not recommended and can cause EMS instability.

Action

Select one of the following actions:

  • Allow
  • Block
  • Monitor

URL

Enter specific URLs to allow, block, or monitor. You can provide the full URL or only the domain name.

Referrer/Host

Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name.

If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action.

If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action.

This option is only available for Chromebooks.

Type

Select one of the following types:

  • Simple
  • Wildcard
  • Regular Expression

You can use wildcard characters and Perl Compatible Regular Expressions.

This field only applies to the value in the URL field and does not apply to the value in the Referrer/Host field.

Move this rule up/Move this rule down

Move the exclusion rule up or down in the list. If multiple exclusion rules are applicable, EMS applies the first applicable exclusion rule.