Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

webfilter profile

Use this command configure web filter profiles.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config ftgd-wf

set options {http-err-detail | ...}

next

...

Removed deprecated option http-err-detail.

set extended-log {enable | disable}

set web-extended-all-action-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

set youtube-channel-status [disable | blacklist | whitelist]

config youtube-channel-filter

edit <id>

set channel-id <url-channel-id>

set comment [comment]

next

...

Allow or block certain YouTube channels with new YouTube channel filter options. When defining channel-id, both the full URL or just the Channel ID suffix are acceptable.

Note that config youtube-channel-filter is only available when youtube-channel-status is set to either blacklist or whitelist.

config webfilter profile
    edit {name}
    # Configure Web filter profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Optional comments. size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set inspection-mode {proxy | flow-based}   Web filtering inspection mode.
                proxy       Proxy.
                flow-based  Flow based.
        set options {option}   Options.
                activexfilter      ActiveX filter.
                cookiefilter       Cookie filter.
                javafilter         Java applet filter.
                block-invalid-url  Block sessions contained an invalid domain name.
                jscript            Javascript block.
                js                 JS block.
                vbs                VB script block.
                unknown            Unknown script block.
                intrinsic          Intrinsic script block.
                wf-referer         Referring block.
                wf-cookie          Cookie block.
                per-user-bwl       Per-user black/white list filter
        set https-replacemsg {enable | disable}   Enable replacement messages for HTTPS.
        set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override | contenttype-check-override}   Permitted override types.
                bannedword-override         Banned word override.
                urlfilter-override          URL filter override.
                fortiguard-wf-override      FortiGuard Web Filter override.
                contenttype-check-override  Content-type header override.
        set post-action {normal | block}   Action taken for HTTP POST traffic.
                normal  Normal, POST requests are allowed.
                block   POST requests are blocked.
        config override
            set ovrd-cookie {allow | deny}   Allow/deny browser-based (cookie) overrides.
                    allow  Allow browser-based (cookie) override.
                    deny   Deny browser-based (cookie) override.
            set ovrd-scope {option}   Override scope.
                    user        Override for the user.
                    user-group  Override for the user's group.
                    ip          Override for the initiating IP.
                    browser     Create browser-based (cookie) override.
                    ask         Prompt for scope when initiating an override.
            set profile-type {list | radius}   Override profile type.
                    list    Profile chosen from list.
                    radius  Profile determined by RADIUS server.
            set ovrd-dur-mode {constant | ask}   Override duration mode.
                    constant  Constant mode.
                    ask       Prompt for duration when initiating an override.
            set ovrd-dur {string}   Override duration.
            set profile-attribute {option}   Profile attribute to retrieve from the RADIUS server.
                    User-Name              Use this attribute.
                    NAS-IP-Address         Use this attribute.
                    Framed-IP-Address      Use this attribute.
                    Framed-IP-Netmask      Use this attribute.
                    Filter-Id              Use this attribute.
                    Login-IP-Host          Use this attribute.
                    Reply-Message          Use this attribute.
                    Callback-Number        Use this attribute.
                    Callback-Id            Use this attribute.
                    Framed-Route           Use this attribute.
                    Framed-IPX-Network     Use this attribute.
                    Class                  Use this attribute.
                    Called-Station-Id      Use this attribute.
                    Calling-Station-Id     Use this attribute.
                    NAS-Identifier         Use this attribute.
                    Proxy-State            Use this attribute.
                    Login-LAT-Service      Use this attribute.
                    Login-LAT-Node         Use this attribute.
                    Login-LAT-Group        Use this attribute.
                    Framed-AppleTalk-Zone  Use this attribute.
                    Acct-Session-Id        Use this attribute.
                    Acct-Multi-Session-Id  Use this attribute.
            config ovrd-user-group
                edit {name}
                # User groups with permission to use the override.
                    set name {string}   User group name. size[64] - datasource(s): user.group.name
                next
            config profile
                edit {name}
                # Web filter profile with permission to create overrides.
                    set name {string}   Web profile. size[64] - datasource(s): webfilter.profile.name
                next
        config web
            set bword-threshold {integer}   Banned word score threshold. range[0-2147483647]
            set bword-table {integer}   Banned word table ID. range[0-4294967295] - datasource(s): webfilter.content.id
            set urlfilter-table {integer}   URL filter table ID. range[0-4294967295] - datasource(s): webfilter.urlfilter.id
            set content-header-list {integer}   Content header list. range[0-4294967295] - datasource(s): webfilter.content-header.id
            set blacklist {enable | disable}   Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
            set whitelist {option}   FortiGuard whitelist settings.
                    exempt-av                   Exempt antivirus.
                    exempt-webcontent           Exempt web content.
                    exempt-activex-java-cookie  Exempt ActiveX-JAVA-Cookie.
                    exempt-dlp                  Exempt DLP.
                    exempt-rangeblock           Exempt RangeBlock.
                    extended-log-others         Support extended log.
            set safe-search {url | header}   Safe search type.
                    url     Insert safe search string into URL.
                    header  Insert safe search header.
            set youtube-restrict {none | strict | moderate}   YouTube EDU filter level.
                    none      Full access for YouTube.
                    strict    Strict access for YouTube.
                    moderate  Moderate access for YouTube.
            set log-search {enable | disable}   Enable/disable logging all search phrases.
            config keyword-match
                edit {pattern}
                # Search keywords to log when match is found.
                    set pattern {string}   Pattern/keyword to search for. size[64]
                next
        set youtube-channel-status {disable | blacklist | whitelist}   YouTube channel filter status.
                disable    Disable YouTube channel filter.
                blacklist  Block matches.
                whitelist  Allow matches.
        config youtube-channel-filter
            edit {id}
            # YouTube channel filter.
                set id {integer}   ID. range[0-4294967295]
                set channel-id {string}   YouTube channel ID to be filtered. size[255]
                set comment {string}   Comment. size[255]
            next
        config ftgd-wf
            set options {error-allow | rate-server-ip | connect-request-bypass | ftgd-disable}   Options for FortiGuard Web Filter.
                    error-allow             Allow web pages with a rating error to pass through.
                    rate-server-ip          Rate the server IP in addition to the domain name.
                    connect-request-bypass  Bypass connection which has CONNECT request.
                    ftgd-disable            Disable FortiGuard scanning.
            set exempt-quota {string}   Do not stop quota for these categories.
            set ovrd {string}   Allow web filter profile overrides.
            config filters
                edit {id}
                # FortiGuard filters.
                    set id {integer}   ID number. range[0-255]
                    set category {integer}   Categories and groups the filter examines. range[0-255]
                    set action {block | authenticate | monitor | warning}   Action to take for matches.
                            block         Block access.
                            authenticate  Authenticate user before allowing access.
                            monitor       Allow access while logging the action.
                            warning       Allow access after warning the user.
                    set warn-duration {string}   Duration of warnings.
                    config auth-usr-grp
                        edit {name}
                        # Groups with permission to authenticate.
                            set name {string}   User group name. size[64] - datasource(s): user.group.name
                        next
                    set log {enable | disable}   Enable/disable logging.
                    set override-replacemsg {string}   Override replacement message. size[28]
                    set warning-prompt {per-domain | per-category}   Warning prompts in each category or each domain.
                            per-domain    Per-domain warnings.
                            per-category  Per-category warnings.
                    set warning-duration-type {session | timeout}   Re-display warning after closing browser or after a timeout.
                            session  After session ends.
                            timeout  After timeout occurs.
                next
            config quota
                edit {id}
                # FortiGuard traffic quota settings.
                    set id {integer}   ID number. range[0-4294967295]
                    set category {string}   FortiGuard categories to apply quota to (category action must be set to monitor).
                    set type {time | traffic}   Quota type.
                            time     Use a time-based quota.
                            traffic  Use a traffic-based quota.
                    set unit {B | KB | MB | GB}   Traffic quota unit of measurement.
                            B   Quota in bytes.
                            KB  Quota in kilobytes.
                            MB  Quota in megabytes.
                            GB  Quota in gigabytes.
                    set value {integer}   Traffic quota value. range[1-4294967295]
                    set duration {string}   Duration of quota.
                    set override-replacemsg {string}   Override replacement message. size[28]
                next
            set max-quota-timeout {integer}   Maximum FortiGuard quota used by single page view in seconds (excludes streams). range[1-86400]
            set rate-image-urls {disable | enable}   Enable/disable rating images by URL.
            set rate-javascript-urls {disable | enable}   Enable/disable rating JavaScript by URL.
            set rate-css-urls {disable | enable}   Enable/disable rating CSS by URL.
            set rate-crl-urls {disable | enable}   Enable/disable rating CRL by URL.
        set wisp {enable | disable}   Enable/disable web proxy WISP.
        config wisp-servers
            edit {name}
            # WISP servers.
                set name {string}   Server name. size[64] - datasource(s): web-proxy.wisp.name
            next
        set wisp-algorithm {primary-secondary | round-robin | auto-learning}   WISP server selection algorithm.
                primary-secondary  Select the first healthy server in order.
                round-robin        Select the next healthy server.
                auto-learning      Select the lightest loading healthy server.
        set log-all-url {enable | disable}   Enable/disable logging all URLs visited.
        set web-content-log {enable | disable}   Enable/disable logging logging blocked web content.
        set web-filter-activex-log {enable | disable}   Enable/disable logging ActiveX.
        set web-filter-command-block-log {enable | disable}   Enable/disable logging blocked commands.
        set web-filter-cookie-log {enable | disable}   Enable/disable logging cookie filtering.
        set web-filter-applet-log {enable | disable}   Enable/disable logging Java applets.
        set web-filter-jscript-log {enable | disable}   Enable/disable logging JScripts.
        set web-filter-js-log {enable | disable}   Enable/disable logging Java scripts.
        set web-filter-vbs-log {enable | disable}   Enable/disable logging VBS scripts.
        set web-filter-unknown-log {enable | disable}   Enable/disable logging unknown scripts.
        set web-filter-referer-log {enable | disable}   Enable/disable logging referrers.
        set web-filter-cookie-removal-log {enable | disable}   Enable/disable logging blocked cookies.
        set web-url-log {enable | disable}   Enable/disable logging URL filtering.
        set web-invalid-domain-log {enable | disable}   Enable/disable logging invalid domain names.
        set web-ftgd-err-log {enable | disable}   Enable/disable logging rating errors.
        set web-ftgd-quota-usage {enable | disable}   Enable/disable logging daily quota usage.
        set extended-log {enable | disable}   Enable/disable extended logging for web filtering.
        set web-extended-all-action-log {enable | disable}   Enable/disable extended any filter action logging for web filtering.
    next
end

webfilter profile

Use this command configure web filter profiles.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config ftgd-wf

set options {http-err-detail | ...}

next

...

Removed deprecated option http-err-detail.

set extended-log {enable | disable}

set web-extended-all-action-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

set youtube-channel-status [disable | blacklist | whitelist]

config youtube-channel-filter

edit <id>

set channel-id <url-channel-id>

set comment [comment]

next

...

Allow or block certain YouTube channels with new YouTube channel filter options. When defining channel-id, both the full URL or just the Channel ID suffix are acceptable.

Note that config youtube-channel-filter is only available when youtube-channel-status is set to either blacklist or whitelist.

config webfilter profile
    edit {name}
    # Configure Web filter profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Optional comments. size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set inspection-mode {proxy | flow-based}   Web filtering inspection mode.
                proxy       Proxy.
                flow-based  Flow based.
        set options {option}   Options.
                activexfilter      ActiveX filter.
                cookiefilter       Cookie filter.
                javafilter         Java applet filter.
                block-invalid-url  Block sessions contained an invalid domain name.
                jscript            Javascript block.
                js                 JS block.
                vbs                VB script block.
                unknown            Unknown script block.
                intrinsic          Intrinsic script block.
                wf-referer         Referring block.
                wf-cookie          Cookie block.
                per-user-bwl       Per-user black/white list filter
        set https-replacemsg {enable | disable}   Enable replacement messages for HTTPS.
        set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override | contenttype-check-override}   Permitted override types.
                bannedword-override         Banned word override.
                urlfilter-override          URL filter override.
                fortiguard-wf-override      FortiGuard Web Filter override.
                contenttype-check-override  Content-type header override.
        set post-action {normal | block}   Action taken for HTTP POST traffic.
                normal  Normal, POST requests are allowed.
                block   POST requests are blocked.
        config override
            set ovrd-cookie {allow | deny}   Allow/deny browser-based (cookie) overrides.
                    allow  Allow browser-based (cookie) override.
                    deny   Deny browser-based (cookie) override.
            set ovrd-scope {option}   Override scope.
                    user        Override for the user.
                    user-group  Override for the user's group.
                    ip          Override for the initiating IP.
                    browser     Create browser-based (cookie) override.
                    ask         Prompt for scope when initiating an override.
            set profile-type {list | radius}   Override profile type.
                    list    Profile chosen from list.
                    radius  Profile determined by RADIUS server.
            set ovrd-dur-mode {constant | ask}   Override duration mode.
                    constant  Constant mode.
                    ask       Prompt for duration when initiating an override.
            set ovrd-dur {string}   Override duration.
            set profile-attribute {option}   Profile attribute to retrieve from the RADIUS server.
                    User-Name              Use this attribute.
                    NAS-IP-Address         Use this attribute.
                    Framed-IP-Address      Use this attribute.
                    Framed-IP-Netmask      Use this attribute.
                    Filter-Id              Use this attribute.
                    Login-IP-Host          Use this attribute.
                    Reply-Message          Use this attribute.
                    Callback-Number        Use this attribute.
                    Callback-Id            Use this attribute.
                    Framed-Route           Use this attribute.
                    Framed-IPX-Network     Use this attribute.
                    Class                  Use this attribute.
                    Called-Station-Id      Use this attribute.
                    Calling-Station-Id     Use this attribute.
                    NAS-Identifier         Use this attribute.
                    Proxy-State            Use this attribute.
                    Login-LAT-Service      Use this attribute.
                    Login-LAT-Node         Use this attribute.
                    Login-LAT-Group        Use this attribute.
                    Framed-AppleTalk-Zone  Use this attribute.
                    Acct-Session-Id        Use this attribute.
                    Acct-Multi-Session-Id  Use this attribute.
            config ovrd-user-group
                edit {name}
                # User groups with permission to use the override.
                    set name {string}   User group name. size[64] - datasource(s): user.group.name
                next
            config profile
                edit {name}
                # Web filter profile with permission to create overrides.
                    set name {string}   Web profile. size[64] - datasource(s): webfilter.profile.name
                next
        config web
            set bword-threshold {integer}   Banned word score threshold. range[0-2147483647]
            set bword-table {integer}   Banned word table ID. range[0-4294967295] - datasource(s): webfilter.content.id
            set urlfilter-table {integer}   URL filter table ID. range[0-4294967295] - datasource(s): webfilter.urlfilter.id
            set content-header-list {integer}   Content header list. range[0-4294967295] - datasource(s): webfilter.content-header.id
            set blacklist {enable | disable}   Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
            set whitelist {option}   FortiGuard whitelist settings.
                    exempt-av                   Exempt antivirus.
                    exempt-webcontent           Exempt web content.
                    exempt-activex-java-cookie  Exempt ActiveX-JAVA-Cookie.
                    exempt-dlp                  Exempt DLP.
                    exempt-rangeblock           Exempt RangeBlock.
                    extended-log-others         Support extended log.
            set safe-search {url | header}   Safe search type.
                    url     Insert safe search string into URL.
                    header  Insert safe search header.
            set youtube-restrict {none | strict | moderate}   YouTube EDU filter level.
                    none      Full access for YouTube.
                    strict    Strict access for YouTube.
                    moderate  Moderate access for YouTube.
            set log-search {enable | disable}   Enable/disable logging all search phrases.
            config keyword-match
                edit {pattern}
                # Search keywords to log when match is found.
                    set pattern {string}   Pattern/keyword to search for. size[64]
                next
        set youtube-channel-status {disable | blacklist | whitelist}   YouTube channel filter status.
                disable    Disable YouTube channel filter.
                blacklist  Block matches.
                whitelist  Allow matches.
        config youtube-channel-filter
            edit {id}
            # YouTube channel filter.
                set id {integer}   ID. range[0-4294967295]
                set channel-id {string}   YouTube channel ID to be filtered. size[255]
                set comment {string}   Comment. size[255]
            next
        config ftgd-wf
            set options {error-allow | rate-server-ip | connect-request-bypass | ftgd-disable}   Options for FortiGuard Web Filter.
                    error-allow             Allow web pages with a rating error to pass through.
                    rate-server-ip          Rate the server IP in addition to the domain name.
                    connect-request-bypass  Bypass connection which has CONNECT request.
                    ftgd-disable            Disable FortiGuard scanning.
            set exempt-quota {string}   Do not stop quota for these categories.
            set ovrd {string}   Allow web filter profile overrides.
            config filters
                edit {id}
                # FortiGuard filters.
                    set id {integer}   ID number. range[0-255]
                    set category {integer}   Categories and groups the filter examines. range[0-255]
                    set action {block | authenticate | monitor | warning}   Action to take for matches.
                            block         Block access.
                            authenticate  Authenticate user before allowing access.
                            monitor       Allow access while logging the action.
                            warning       Allow access after warning the user.
                    set warn-duration {string}   Duration of warnings.
                    config auth-usr-grp
                        edit {name}
                        # Groups with permission to authenticate.
                            set name {string}   User group name. size[64] - datasource(s): user.group.name
                        next
                    set log {enable | disable}   Enable/disable logging.
                    set override-replacemsg {string}   Override replacement message. size[28]
                    set warning-prompt {per-domain | per-category}   Warning prompts in each category or each domain.
                            per-domain    Per-domain warnings.
                            per-category  Per-category warnings.
                    set warning-duration-type {session | timeout}   Re-display warning after closing browser or after a timeout.
                            session  After session ends.
                            timeout  After timeout occurs.
                next
            config quota
                edit {id}
                # FortiGuard traffic quota settings.
                    set id {integer}   ID number. range[0-4294967295]
                    set category {string}   FortiGuard categories to apply quota to (category action must be set to monitor).
                    set type {time | traffic}   Quota type.
                            time     Use a time-based quota.
                            traffic  Use a traffic-based quota.
                    set unit {B | KB | MB | GB}   Traffic quota unit of measurement.
                            B   Quota in bytes.
                            KB  Quota in kilobytes.
                            MB  Quota in megabytes.
                            GB  Quota in gigabytes.
                    set value {integer}   Traffic quota value. range[1-4294967295]
                    set duration {string}   Duration of quota.
                    set override-replacemsg {string}   Override replacement message. size[28]
                next
            set max-quota-timeout {integer}   Maximum FortiGuard quota used by single page view in seconds (excludes streams). range[1-86400]
            set rate-image-urls {disable | enable}   Enable/disable rating images by URL.
            set rate-javascript-urls {disable | enable}   Enable/disable rating JavaScript by URL.
            set rate-css-urls {disable | enable}   Enable/disable rating CSS by URL.
            set rate-crl-urls {disable | enable}   Enable/disable rating CRL by URL.
        set wisp {enable | disable}   Enable/disable web proxy WISP.
        config wisp-servers
            edit {name}
            # WISP servers.
                set name {string}   Server name. size[64] - datasource(s): web-proxy.wisp.name
            next
        set wisp-algorithm {primary-secondary | round-robin | auto-learning}   WISP server selection algorithm.
                primary-secondary  Select the first healthy server in order.
                round-robin        Select the next healthy server.
                auto-learning      Select the lightest loading healthy server.
        set log-all-url {enable | disable}   Enable/disable logging all URLs visited.
        set web-content-log {enable | disable}   Enable/disable logging logging blocked web content.
        set web-filter-activex-log {enable | disable}   Enable/disable logging ActiveX.
        set web-filter-command-block-log {enable | disable}   Enable/disable logging blocked commands.
        set web-filter-cookie-log {enable | disable}   Enable/disable logging cookie filtering.
        set web-filter-applet-log {enable | disable}   Enable/disable logging Java applets.
        set web-filter-jscript-log {enable | disable}   Enable/disable logging JScripts.
        set web-filter-js-log {enable | disable}   Enable/disable logging Java scripts.
        set web-filter-vbs-log {enable | disable}   Enable/disable logging VBS scripts.
        set web-filter-unknown-log {enable | disable}   Enable/disable logging unknown scripts.
        set web-filter-referer-log {enable | disable}   Enable/disable logging referrers.
        set web-filter-cookie-removal-log {enable | disable}   Enable/disable logging blocked cookies.
        set web-url-log {enable | disable}   Enable/disable logging URL filtering.
        set web-invalid-domain-log {enable | disable}   Enable/disable logging invalid domain names.
        set web-ftgd-err-log {enable | disable}   Enable/disable logging rating errors.
        set web-ftgd-quota-usage {enable | disable}   Enable/disable logging daily quota usage.
        set extended-log {enable | disable}   Enable/disable extended logging for web filtering.
        set web-extended-all-action-log {enable | disable}   Enable/disable extended any filter action logging for web filtering.
    next
end