Web filter
The <webfilter></webfilter> tags contain web filter XML configurations. There are two main sections:
|
Section |
Description |
|---|---|
|
General options |
Configuration elements that affect the whole of the web filter service. |
|
Scheduling information |
Defines a schedule for when Web Filter settings are in effect. |
|
Profiles |
Defines one or more rules that FortiClient applies to network traffic. |
|
You cannot configure Web Filter to block the Chrome web store URL, as it is a critical resource to download the FortiClient Web Filter extension. FortiClient can access the Chrome web store URL regardless of the Web Filter configuration. |
<forticlient_configuration>
<webfilter>
<enable_filter>1</enable_filter>
<enabled>1</enabled>
<current_profile>0</current_profile>
<partial_match_host>0</partial_match_host>
<disable_when_managed>0</disable_when_managed>
<keep_extension_when_managed>1</keep_extension_when_managed>
<max_violations>250</max_violations>
<max_violations_age>7</max_violations_age>
<block_malicious_websites>1</block_malicious_websites>
<bypass_private_ip>1</bypass_private_ip>
<browser_read_time_threshold>180</browser_read_time_threshold>
<https_block_method>0</https_block_method>
<use_transparent_proxy>1</use_transparent_proxy>
<request_timeout>3</request_timeout>
<wildcard_match_root_domain>0</wildcard_match_root_domain>
<enable_https_deep_inspection>1</enable_https_deep_inspection>
<interception_mode>1</interception_mode>
<fgd_down_retry_interval_s>1</fgd_down_retry_interval_s>
<modify_hosts>1</modify_hosts>
<scheduling_info>
<enabled>1</enabled>
<fallback_action>deny</fallback_action>
<schedule_item>
<days_of_week>2,4</days_of_week>
<start_time>06:00</start_time>
<end_time>18:00</end_time>
</schedule_item>
</scheduling_info>
<profiles>
<profile>
<id>999</id>
<use_exclusion_list>1</use_exclusion_list>
</profile>
<profile>
<id>0</id>
<cate_ver>6</cate_ver>
<description>deny</description>
<name>deny</name>
<log_all_urls>1</log_all_urls>
<log_user_initiated_traffic>1</log_user_initiated_traffic>
<categories>
<fortiguard>
<enabled>1</enabled>
<url>fgd1.fortigate.com</url>
<rate_ip_addresses>1</rate_ip_addresses>
<action_when_unavailable>deny</action_when_unavailable>
<use_https_rating_server>0</use_https_rating_server>
</fortiguard>
<category>
<id>0</id>
<action>deny</action>
<isdb_objects>
<object>
<owner>30</owner>
<app>103</app>
<action>allow</action>
</object>
</isdb_objects>
</category>
<category>
<id>1</id>
<action>deny</action>
</category>
<category>
<id>2</id>
<action>deny</action>
</category>
<category>
<id>3</id>
<action>deny</action>
</category>
<category>
<id>4</id>
<action>deny</action>
</category>
<category>
<id>5</id>
<action>deny</action>
</category>
</categories>
<urls>
<url>
<address>
<![CDATA[www.777.com]]>
</address>
<type>simple</type>
<action>deny</action>
<referrer>google.com</referrer>
</url>
<url>
<address>
<![CDATA[www.fortinet.com]]>
</address>
<type>simple</type>
<action>allow</action>
</url>
</urls>
<webbrowser_plugin>
<enabled>0</enabled>
<sync_mode>0</sync_mode>
<addressbar_only>0</addressbar_only>
<ignore_data_url>1</ignore_data_url>
<force_enable_in_private_mode>1</force_enable_in_private_mode>
</webbrowser_plugin>
<safe_search>
<enabled>0</enabled>
<search_engines>
<enabled>0</enabled>
</search_engines>
<youtube_education_filter>
<enabled>0</enabled>
<filter_id>
<![CDATA[]]>
</filter_id>
</youtube_education_filter>
</safe_search>
</profile>
</profiles>
</webfilter>
</forticlient_configuration>
The following table provides the XML tags for web filter, as well as the descriptions and default values where applicable.
|
XML tag |
Description |
Default value |
|---|---|---|
|
<enable_filter> |
Enable web filter. Boolean value: |
1 |
|
<enabled> |
Enable FortiGuard distribution network querying service. Boolean value: |
1 |
|
<current_profile> |
(Optional) Selected profile ID. If using the advanced configuration on the FortiGate for endpoint control, set this to |
|
|
<partial_match_host> |
FortiClient treats a hostname that is a substring of the specified path as a full match. Boolean value: |
0 |
|
<disable_when_managed> |
If enabled, FortiClient disables web filter when connected to a FortiGate using Endpoint Control. Boolean value: |
|
|
<keep_extension_when_managed> |
If disabled, the FortiClient Web Filter extension is uninstalled when the endpoint goes from being on- to off-net. For Firefox, the Web Filter extension is not automatically uninstalled, due to the Firefox default behavior. Instead, you can manually remove the extension. This is a Firefox limitation. Boolean value: |
1 |
|
<max_violations> |
Maximum number of violations stored at any one time. Enter a number from 250 to 5000. |
5000 |
|
<max_violation_age> |
Maximum age in days of a violation record before FortiClient culls it. Enter a number from 1 to 90. |
90 |
|
<block_malicious_websites> |
Configure whether to block websites with security risk categories (group 5). Boolean value: |
0 |
|
<bypass_private_ip> |
Enable bypassing private IP addresses. Boolean value: |
1 |
|
<browser_read_time_threshold> |
Configure the threshold in seconds for web browser to be considered idle. When a web browser is idle for longer than the threshold, FortiClient considers the web browser idle and does not calculate the time. |
90 |
|
<https_block_method> |
Control how FortiClient behaves when Web Filter blocks an HTTPS site:
|
0 |
|
<use_transparent_proxy> |
Enable the com.fortinet.forticlient.macos.proxy system extension, which works as a proxy server to proxy a TCP connection. macOS manages the extension's connection status and other statistics. This resolves the issue that Web Filter fails to work when SSL and IPsec VPN are connected. FortiClient (macOS) automatically installs the extension on an M1 Pro or newer macOS device. You only need to enable this option on a macOS device with an Intel or M1 chip. See Special notices. This element does not affect Windows endpoints. |
|
|
<request_timeout> |
Configure the desired timeout value in seconds for a Web Filter site rating request to FortiGuard times out. You can configure a value between 1 to 30 seconds. |
7 |
|
<wildcard_match_root_domain> |
FortiClient applies wildcard matching to the sites in the exclusion list, even if they are not configured with wildcard characters. For example, if you configured office365.com in the exclusion list and enable Boolean value: |
0 |
|
<enable_https_deep_inspection> |
Enable HTTPS deep inspection on FortiClient (macOS) and (Linux) endpoints. When HTTPS deep inspection is enabled, FortiClient can proxy HTTPS requests and rate whole HTTPS URL requests. Otherwise, FortiClient can only rate domain URLs for HTTPS requests. Boolean value: |
1 |
|
<interception_mode> |
Only modify this element if you are experiencing recurrent blue screen of death (BSOD) issues. When enabled, the system is in interception mode. In this mode, all HTTPS and HTTP-related packets are intercepted and sent to the Web Filter daemon for processing. After processing, the packets are forwarded to the driver for injection, operating in a synchronous manner. If Web Filter blocks access to a webpage, the browser displays a block page. When disabled, the system operates in non-interception mode. In this case, all HTTPS and HTTP packets are duplicated and sent to the Web Filter Daemon for processing, while the original packets continue to pass through the network stack. The daemon processes the duplicate packets and instructs the driver to terminate connections if it detects any suspicious packets. If Web Filter blocks access to a webpage, the browser does not display a block page. Boolean value: |
1 |
|
<fgd_down_retry_interval_s> |
Configure the number of seconds that FortiClient blocks all sites once it determines that the FortiGuard rating server is down. The minimum interval is one second. |
|
|
<modify_hosts> |
If the Web Filter extension is enabled and Boolean value: |
|
|
|
||
|
<enabled> |
Enable to have Web Filter settings only take effect during the configured schedule. |
0 |
|
<fallback_action> |
Configure the desired action for Web Filter to take for web traffic outside of the scheduled times:
|
deny |
|
|
||
|
<days_of_week> |
Configure the days of the week for the schedule:
Enter multiple days by separating the numbers with a comma. For example, to enable the schedule on Monday and Wednesday, enter |
1 |
|
<start_time> |
Configure the desired time in 24-hour clock format for the Web Filter settings to start on the selected days of the week. |
06:00 |
|
<end_time> |
Configure the desired time in 24-hour clock format for the Web Filter settings to end on the selected days of the week. |
18:00 |
|
|
||
|
<enabled> |
Enable safe search. When you enable safe search, the endpoint's Google search is set to restricted mode, and YouTube access is set to strict restricted access. To set YouTube access to moderate restricted or unrestricted YouTube access, you can disable safe search and configure Google search and YouTube access with the Google Admin Console instead of with EMS. You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is enabled on both profiles, the more restrictive settings are applied to YouTube. Boolean value: |
|
|
|
||
|
<enabled> |
Enable safe search for the predefined search engines. Boolean value: |
|
The <profiles> XML element may have one or more profiles, defined in the <profile> tag. Each <profile>, in turn, has one or more <category>, <url> and <safe_search> tags, along with other elements.
The following table provides profile XML tags, the description, and the default value (where applicable).
|
XML tag |
Description |
Default value |
||||||
|---|---|---|---|---|---|---|---|---|
|
|
||||||||
|
<id> |
Unique ID. A number to define the profile. |
|
||||||
|
<cate_ver> |
FortiGuard category version used in this profile. A number. |
6 |
||||||
|
<description> |
Summary describing this profile. |
|
||||||
|
<name> |
A descriptive name for the profile. |
|
||||||
|
<log_all_urls> |
Configure whether to log all URLs. When this setting is Boolean value: |
|||||||
|
<log_user_initiated_traffic> |
Configure what traffic to record. When this setting is Boolean value: |
|||||||
|
|
||||||||
|
<url> |
FortiGuard server IP address or FQDN. |
fgd1.fortigate.com |
||||||
|
<enabled> |
Enable using FortiGuard servers. Boolean value: |
1 |
||||||
|
<rate_ip_addresses> |
Rate IP addresses. Boolean value: |
1 |
||||||
|
<action_when_unavailable> |
Configure the action to take with all websites when FortiGuard is temporarily unavailable. FortiClient takes the configured action until it reestablishes contact with FortiGuard. Available options are:
|
deny |
||||||
|
<use_https_rating_server> |
By default, Web Filter sends URL rating requests to the FortiGuard Anycast rating server via TCP protocol. You can instead enable Web Filter to send the requests to the FortiGuard legacy server via UDP protocol. Boolean value: |
0 |
||||||
|
|
||||||||
|
<id> |
Unique ID. A number. The valid set of category IDs is predefined, and is listed in exported configuration files. |
|
||||||
|
<action> |
Action to perform on matching network traffic. Enter one of the following:
|
|
||||||
|
|
These elements only apply to the unrated category, which has an id of 0. This feature allows you to configure actions for specific cloud applications that FortiGuard categorizes as unrated using the Internet Services Database (ISDB). | |||||||
|
<owner> |
Owner ID of the cloud application in ISDB. |
|
||||||
|
<app> |
Application ID of the cloud application in ISDB. |
|
||||||
|
<action> |
Action to perform on matching network traffic. Enter one of the following:
|
|
||||||
|
|
||||||||
|
<address> |
The web address in which <![CDATA[www.777.com]]> |
|
||||||
|
<action> |
Action to perform on matching network traffic. Enter one of the following: |
|
||||||
|
<referrer> |
Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name. If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action. If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action. This option is only available for FortiClient Windows, macOS, Linux, and Chromebooks. |
|
||||||
|
|
||||||||
|
<enabled> |
Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. When this option is enabled, the user must open the browser to approve installing the new plugin. Currently this feature is only supported when using the Chrome browser on a Windows machine. |
1 |
||||||
|
<sync_mode> |
When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request. |
0 |
||||||
|
<addressbar_only> |
Enable the plugin to only check domains, even if the full URL is provided. This allows for faster processing. When this option is disabled, the plugin checks full URLs. |
0 |
||||||
|
<ignore_data_url> |
If this tag does not exist, by default, FortiClient treats it as false. When this option is enabled, the plugin bypasses Base64 data URLs. The format for data URLs is as follows: data:application/text(or other MIME type);base64,XXXXXXX... The plugin does not bypass the following data formats since they have valid URLs within the data protocol:
Instead, the plugin uses the https://xxxx inside to rate the download. |
|
||||||
|
<force_enable_in_private_mode> |
Configure whether to force run the FortiClient Web Filter extension in incognito or private mode:
Boolean value: |
1 |
||||||
The <safe_search> element has two main components:
- Search engines
<search_engines> - YouTube education filter
<youtube_education_filter>
Users may define safe search parameters for each of the popular search engines: Bing and Yandex. Subsequent use of the engines for web searches have Safe Search enabled.
Educational institutions with valid YouTube education ID can provide this in the <youtube_education_filter> element to restrict YouTube contents appropriately.
The following table provides profile XML tags and the description. See the <safe_search> listing in the previous pages for examples of each tag.
|
XML tag |
Description |
Default value |
|---|---|---|
|
|
||
|
<name> |
Name of the Safe Search profile. |
|
|
<host> |
The search engine's FQDN. FortiClient monitors attempts to visit this address. |
|
|
<url> |
The URL substring to match or monitor, along with the FQDN. |
|
|
<query> |
The query string appended to the URL. |
|
|
<safe_search_string> |
The correct safe search string appended to the URL for the specified engine. |
|
|
<cookie_name> |
The name of the cookie to send the search engine. |
|
|
<cookie_value> |
The cookie value to send the search engine. |
|
|
|
||
|
<enabled> |
Enable YouTube education filter. Boolean value: |
|
|
<filter_id> |
The institution's education identifier. |
|
Other than the <name> and <enabled> elements, the values for each of the elements in the previous table should be wrapped in <![CDATA[]]> XML tags. Here is an example for a <host> element taken from the <safe_search> listing.
<host><![CDATA[yandex\..*]]></host>
See Manage your YouTube settings for more information on YouTube for schools and the education filter.
The following is a list of all Web Filter categories including the category <id> and category name:
0 ==> Unrated
1 ==> Drug Abuse
2 ==> Alternative Beliefs
3 ==> Hacking
4 ==> Illegal or Unethical
5 ==> Discrimination
6 ==> Explicit Violence
7 ==> Abortion
8 ==> Other Adult Materials
9 ==> Advocacy Organizations
11 ==> Gambling
12 ==> Extremist Groups
13 ==> Nudity and Risque
14 ==> Pornography
15 ==> Dating
16 ==> Weapons (Sales)
17 ==> Advertising
18 ==> Brokerage and Trading
19 ==> Freeware and Software Downloads
20 ==> Games
23 ==> Web-based Email
24 ==> File Sharing and Storage
25 ==> Streaming Media and Download
26 ==> Malicious Websites
28 ==> Entertainment
29 ==> Arts and Culture
30 ==> Education
31 ==> Finance and Banking
33 ==> Health and Wellness
34 ==> Job Search
35 ==> Medicine
36 ==> News and Media
37 ==> Social Networking
38 ==> Political Organizations
39 ==> Reference
40 ==> Global Religion
41 ==> Search Engines and Portals
42 ==> Shopping
43 ==> General Organizations
44 ==> Society and Lifestyles
46 ==> Sports
47 ==> Travel
48 ==> Personal Vehicles
49 ==> Business
50 ==> Information and Computer Security
51 ==> Government and Legal Organizations
52 ==> Information Technology
53 ==> Armed Forces
54 ==> Dynamic Content
55 ==> Meaningless Content
56 ==> Web Hosting
57 ==> Marijuana
58 ==> Folklore
59 ==> Proxy Avoidance
61 ==> Phishing
62 ==> Plagiarism
63 ==> Sex Education
64 ==> Alcohol
65 ==> Tobacco
66 ==> Lingerie and Swimsuit
67 ==> Sports Hunting and War Games
68 ==> Web Chat
69 ==> Instant Messaging
70 ==> Newsgroups and Message Boards
71 ==> Digital Postcards
72 ==> Peer-to-peer File Sharing
75 ==> Internet Radio and TV
76 ==> Internet Telephony
77 ==> Child Education
78 ==> Real Estate
79 ==> Restaurant and Dining
80 ==> Personal Websites and Blogs
81 ==> Secure Websites
82 ==> Content Servers
83 ==> Child Abuse
84 ==> Web-based Applications
85 ==> Domain Parking
86 ==> Spam URLs
88 ==> Dynamic DNS
89 ==> Auction
90 ==> Newly Observed Domain
91 ==> Newly Registered Domain
92 ==> Charitable Organizations
93 ==> Remote Access
94 ==> Web Analytics
95 ==> Online Meeting