Web filter
Web filter XML configurations are contained in the <webfilter></webfilter> tags. There are two main sections:
|
Section |
Description |
|---|---|
|
General options |
Configuration elements that affect the whole of the web filter service. |
|
Scheduling information |
Defines a schedule for when Web Filter settings are in effect. |
|
Profiles |
Defines one or more rules that FortiClient applies to network traffic. |
<forticlient_configuration>
<webfilter>
<enable_filter>1</enable_filter>
<enabled>1</enabled>
<current_profile>0</current_profile>
<partial_match_host>0</partial_match_host>
<disable_when_managed>0</disable_when_managed>
<keep_extension_when_managed>1</keep_extension_when_managed>
<max_violations>250</max_violations>
<max_violations_age>7</max_violations_age>
<block_malicious_websites>1</block_malicious_websites>
<bypass_private_ip>1</bypass_private_ip>
<browser_read_time_threshold>180</browser_read_time_threshold>
<https_block_method>0</https_block_method>
<use_transparent_proxy>1</use_transparent_proxy>
<request_timeout>3</request_timeout>
<wildcard_match_root_domain>0</wildcard_match_root_domain>
<enable_https_deep_inspection>1</enable_https_deep_inspection>
<out_of_band_injection>1</out_of_band_injection>
<scheduling_info>
<enabled>1</enabled>
<fallback_action>deny</fallback_action>
<schedule_item>
<days_of_week>2,4</days_of_week>
<start_time>06:00</start_time>
<end_time>18:00</end_time>
</schedule_item>
</scheduling_info>
<profiles>
<profile>
<id>999</id>
<use_exclusion_list>1</use_exclusion_list>
</profile>
<profile>
<id>0</id>
<cate_ver>6</cate_ver>
<description>deny</description>
<name>deny</name>
<log_all_urls>1</log_all_urls>
<log_user_initiated_traffic>1</log_user_initiated_traffic>
<categories>
<fortiguard>
<enabled>1</enabled>
<url>fgd1.fortigate.com</url>
<rate_ip_addresses>1</rate_ip_addresses>
<action_when_unavailable>deny</action_when_unavailable>
<use_https_rating_server>0</use_https_rating_server>
</fortiguard>
<category>
<id>0</id>
<action>deny</action>
<isdb_objects>
<object>
<owner>30</owner>
<app>103</app>
<action>allow</action>
</object>
</isdb_objects>
</category>
<category>
<id>1</id>
<action>deny</action>
</category>
<category>
<id>2</id>
<action>deny</action>
</category>
<category>
<id>3</id>
<action>deny</action>
</category>
<category>
<id>4</id>
<action>deny</action>
</category>
<category>
<id>5</id>
<action>deny</action>
</category>
</categories>
<urls>
<url>
<address>
<![CDATA[www.777.com]]>
</address>
<type>simple</type>
<action>deny</action>
</url>
<url>
<address>
<![CDATA[www.fortinet.com]]>
</address>
<type>simple</type>
<action>allow</action>
</url>
</urls>
<webbrowser_plugin>
<enabled>0</enabled>
<sync_mode>0</sync_mode>
<addressbar_only>0</addressbar_only>
</webbrowser_plugin>
<safe_search>
<enabled>0</enabled>
<search_engines>
<enabled>0</enabled>
</search_engines>
<youtube_education_filter>
<enabled>0</enabled>
<filter_id>
<![CDATA[]]>
</filter_id>
</youtube_education_filter>
</safe_search>
</profile>
</profiles>
</webfilter>
</forticlient_configuration>
The following table provides the XML tags for web filter, as well as the descriptions and default values where applicable.
|
XML tag |
Description |
Default value |
|---|---|---|
|
<enable_filter> |
Enable web filter. Boolean value: |
1 |
|
<enabled> |
Enable FDN querying service. Boolean value: |
1 |
|
<current_profile> |
(Optional) Currently selected profile ID. If using the advanced configuration on the FortiGate (for Endpoint Control), set this to |
|
|
<partial_match_host> |
A hostname that is a substring of the specified path is treated as a full match. Boolean value: |
0 |
|
<disable_when_managed> |
If enabled, FortiClient disables web filter when connected to a FortiGate using Endpoint Control. Boolean: |
|
|
<keep_extension_when_managed> |
If disabled, the FortiClient Web Filter extension is uninstalled when the endpoint goes from being on- to off-net. Boolean value: |
1 |
|
<max_violations> |
Maximum number of violations stored at any one time. A number from 250 to 5000. |
5000 |
|
<max_violation_age> |
Maximum age in days of a violation record before it is culled. A number from 1 to 90. |
90 |
|
<block_malicious_websites> |
Configure whether to block web sites with security risk categories (group 5). When this setting is Boolean: |
|
|
<bypass_private_ip> |
Enable bypassing private IP addresses. This feature is enabled by default. Boolean: |
1 |
|
<browser_read_time_threshold> |
Configure the threshold in seconds for web browser to be considered idle. When a web browser is idle for longer than the threshold, FortiClient considers the web browser idle, does not calculate the time. |
90 |
|
<https_block_method> |
Control how FortiClient behaves when Web Filter blocks an HTTPS site:
|
0 |
|
<use_transparent_proxy> |
Enable the com.fortinet.forticlient.macos.proxy system extension, which works as a proxy server to proxy a TCP connection. macOS manages the extension's connection status and other statistics. This resolves the issue that Web Filter fails to work when SSL and IPsec VPN are connected. FortiClient (macOS) automatically installs the extension on an M1 Pro or newer macOS device. You only need to enable this option on a macOS device with an Intel or M1 chip. See Special notices. This element does not affect Windows endpoints. |
|
|
<request_timeout> |
Configure the desired timeout value in seconds for a Web Filter site rating request to FortiGuard times out. You can configure a value between 1 to 30 seconds. |
7 |
|
<wildcard_match_root_domain> |
FortiClient applies wildcard matching to the sites in the exclusion list, even if they are not configured with wildcard characters. For example, if you configured office365.com in the exclusion list and enable Boolean value: |
|
|
<enable_https_deep_inspection> |
Enable HTTPS deep inspection on FortiClient (macOS) and (Linux) endpoints. When HTTPS deep inspection is enabled, FortiClient can proxy HTTPS requests and rate whole HTTPS URL requests. Otherwise, FortiClient can only rate domain URLs for HTTPS requests. Boolean value: |
1 |
|
<out_of_band_injection> |
If enabled, FortiClient injects packets using out-of-band method. If disabled, FortiClient injects packets using the original sending thread. Configuring this option may help to solve any blue screen of death issues related to the Fortiwf2 driver. Boolean value: |
1 |
|
|
||
|
<enabled> |
Enable to have Web Filter settings only take effect during the configured schedule. |
0 |
|
<fallback_action> |
Configure the desired action for Web Filter to take for web traffic outside of the scheduled times:
|
deny |
|
|
||
|
<days_of_week> |
Configure the days of the week for the schedule:
Enter multiple days by separating the numbers with a comma. For example, to enable the schedule on Monday and Wednesday, enter |
1 |
|
<start_time> |
Configure the desired time in 24-hour clock format for the Web Filter settings to start on the selected days of the week. |
06:00 |
|
<end_time> |
Configure the desired time in 24-hour clock format for the Web Filter settings to end on the selected days of the week. |
18:00 |
|
|
||
|
<enabled> |
Enable safe search. When you enable safe search, the endpoint's Google search is set to restricted mode, and YouTube access is set to strict restricted access. To set YouTube access to moderate restricted or unrestricted YouTube access, you can disable safe search and configure Google search and YouTube access with the Google Admin Console instead of with EMS. You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is enabled on both profiles, the more restrictive settings are applied to YouTube. Boolean value: |
|
|
|
||
|
<enabled> |
Enable safe search for the predefined search engines. Boolean value: |
|
The <profiles> XML element may have one or more profiles, defined in the <profile> tag. Each <profile>, in turn, has one or more <category>, <url> and <safe_search> tags, along with other elements.
The following table provides profile XML tags, the description, and the default value (where applicable).
|
XML tag |
Description |
Default value |
|---|---|---|
|
|
||
|
<id> |
Unique ID. A number to define the profile. |
|
|
<cate_ver> |
FortiGuard category version used in this profile. A number. |
6 |
|
<description> |
Summary describing this profile. |
|
|
<name> |
A descriptive name for the profile. |
|
|
<log_all_urls> |
Configure whether to log all URLs. When this setting is Boolean value: |
|
|
<log_user_initiated_traffic> |
Configure what traffic to record. When this setting is Boolean value: |
|
|
|
||
|
<url> |
FortiGuard server IP address or FQDN. |
fgd1.fortigate.com |
|
<enabled> |
Enable using FortiGuard servers. Boolean value: |
1 |
|
<rate_ip_addresses> |
Rate IP addresses. Boolean value: |
1 |
|
<action_when_unavailable> |
Configure the action to take with all websites when FortiGuard is temporarily unavailable. FortiClient takes the configured action until it reestablishes contact with FortiGuard. Available options are:
|
deny |
|
<use_https_rating_server> |
By default, Web Filter sends URL rating requests to the FortiGuard Anycast rating server via TCP protocol. You can instead enable Web Filter to send the requests to the FortiGuard legacy server via UDP protocol. Boolean value: |
0 |
|
|
||
|
<id> |
Unique ID. A number. The valid set of category IDs is predefined, and is listed in exported configuration files. |
|
|
<action> |
Action to perform on matching network traffic. Enter one of the following:
|
|
|
|
These elements only apply to the unrated category, which has an id of 0. This feature allows you to configure actions for specific cloud applications that FortiGuard categorizes as unrated using the Internet Services Database (ISDB). | |
|
<owner> |
Owner ID of the cloud application in ISDB. |
|
|
<app> |
Application ID of the cloud application in ISDB. |
|
|
<action> |
Action to perform on matching network traffic. Enter one of the following:
|
|
|
|
||
|
<address> |
The web address in which <![CDATA[www.777.com]]> |
|
|
<action> |
Action to perform on matching network traffic. Enter one of the following: |
|
|
|
||
|
<enabled> |
Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. Currently this feature is only supported when using the Chrome browser on a Windows machine. |
0 |
|
<sync_mode> |
When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request. |
0 |
|
<addressbar_only> |
Enable the plugin to only check domains, even if the full URL is provided. This allows for faster processing. When this option is disabled, the plugin checks full URLs. |
0 |
The <safe_search> element has two main components:
- Search engines
<search_engines> - YouTube education filter
<youtube_education_filter>
Users may define safe search parameters for each of the popular search engines: Bing and Yandex. Subsequent use of the engines for web searches have Safe Search enabled.
Educational institutions with valid YouTube education ID can provide this in the <youtube_education_filter> element to restrict YouTube contents appropriately.
The following table provides profile XML tags and the description. See the <safe_search> listing in the previous pages for examples of each tag.
|
XML tag |
Description |
Default value |
|---|---|---|
|
|
||
|
<name> |
Name of the Safe Search profile. |
|
|
<host> |
The search engine's FQDN. FortiClient monitors attempts to visit this address. |
|
|
<url> |
The URL substring to match or monitor, along with the FQDN. |
|
|
<query> |
The query string appended to the URL. |
|
|
<safe_search_string> |
The correct safe search string appended to the URL for the specified engine. |
|
|
<cookie_name> |
The name of the cookie to send the search engine. |
|
|
<cookie_value> |
The cookie value to send the search engine. |
|
|
|
||
|
<enabled> |
Enable YouTube education filter. Boolean value: |
|
|
<filter_id> |
The institution's education identifier. |
|
Other than the <name> and <enabled> elements, the values for each of the elements in the previous table should be wrapped in <![CDATA[]]> XML tags. Here is an example for a <host> element taken from the <safe_search> listing.
<host><![CDATA[yandex\..*]]></host>
See Manage your YouTube settings for more information on YouTube for schools and the education filter.
The following is a list of all Web Filter categories including the category <id> and category name:
0 ==> Unrated
1 ==> Drug Abuse
2 ==> Alternative Beliefs
3 ==> Hacking
4 ==> Illegal or Unethical
5 ==> Discrimination
6 ==> Explicit Violence
7 ==> Abortion
8 ==> Other Adult Materials
9 ==> Advocacy Organizations
11 ==> Gambling
12 ==> Extremist Groups
13 ==> Nudity and Risque
14 ==> Pornography
15 ==> Dating
16 ==> Weapons (Sales)
17 ==> Advertising
18 ==> Brokerage and Trading
19 ==> Freeware and Software Downloads
20 ==> Games
23 ==> Web-based Email
24 ==> File Sharing and Storage
25 ==> Streaming Media and Download
26 ==> Malicious Websites
28 ==> Entertainment
29 ==> Arts and Culture
30 ==> Education
31 ==> Finance and Banking
33 ==> Health and Wellness
34 ==> Job Search
35 ==> Medicine
36 ==> News and Media
37 ==> Social Networking
38 ==> Political Organizations
39 ==> Reference
40 ==> Global Religion
41 ==> Search Engines and Portals
42 ==> Shopping
43 ==> General Organizations
44 ==> Society and Lifestyles
46 ==> Sports
47 ==> Travel
48 ==> Personal Vehicles
49 ==> Business
50 ==> Information and Computer Security
51 ==> Government and Legal Organizations
52 ==> Information Technology
53 ==> Armed Forces
54 ==> Dynamic Content
55 ==> Meaningless Content
56 ==> Web Hosting
57 ==> Marijuana
58 ==> Folklore
59 ==> Proxy Avoidance
61 ==> Phishing
62 ==> Plagiarism
63 ==> Sex Education
64 ==> Alcohol
65 ==> Tobacco
66 ==> Lingerie and Swimsuit
67 ==> Sports Hunting and War Games
68 ==> Web Chat
69 ==> Instant Messaging
70 ==> Newsgroups and Message Boards
71 ==> Digital Postcards
72 ==> Peer-to-peer File Sharing
75 ==> Internet Radio and TV
76 ==> Internet Telephony
77 ==> Child Education
78 ==> Real Estate
79 ==> Restaurant and Dining
80 ==> Personal Websites and Blogs
81 ==> Secure Websites
82 ==> Content Servers
83 ==> Child Abuse
84 ==> Web-based Applications
85 ==> Domain Parking
86 ==> Spam URLs
88 ==> Dynamic DNS
89 ==> Auction
90 ==> Newly Observed Domain
91 ==> Newly Registered Domain
92 ==> Charitable Organizations
93 ==> Remote Access
94 ==> Web Analytics
95 ==> Online Meeting