Advanced configurations
Allow websites when a rating error occurs
Enable this setting to allow access to web pages that return a rating error from the FortiGuard Web Filter service.
If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines the tye of access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.
ActiveX filter
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.
Block Invalid URLs
Select to block web sites when their SSL certificate CN field does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:
- If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
- If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.
|
Enabling the Web Filter profile to block a particular category and enabling the Application Control profile will not result in blocking the URL. This occurs because proxy and flow-based profiles cannot operate together. To ensure replacement messages show up for blocked URLs, switch the Web Filter to flow-based inspection. |
Cookie filter
Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.
Provide Details for Blocked HTTP 4xx and 5xx Errors
Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.
HTTP POST action
Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
The available actions are:
Allow
Allow the HTTP POST command.
Block
Block the HTTP POST command. This will limit users from sending information and files to web sites.
When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.
Java applet filter
Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.
Rate Images by URL
Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.
Rate URLs by Domain and IP Address
Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.
If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.
|
FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed. |
An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.
Web resume download block
Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.
This prevents the unintentional download of viruses hidden in fragmented files.
Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.
Restrict Google account usage to specific domains
This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.
Block non-English character URLs
The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.
Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ที่นี่-ไม่มีเศษรัฐประหารให้ใครแดก/338419686287505?ref=stream).
On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0%B9%88-%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%A1%E0%B8%B5%E0%B9%80%E0%B8%A8%E0%B8%A9%E0%B8%A3%E0%B8%B1%E0%B8%90%E0%B8%9B%E0%B8%A3%E0%B8%B0%E0%B8%AB%E0%B8%B2%E0%B8%A3%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B9%83%E0%B8%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream).
Once added, further browsing to the URL will result in a blocked page.
CLI Syntax
config webfilter urlfilter
edit 1
set name "block_international_character_urls"
config entries
edit 1
set url "www.fortinet.com/pages/2.710850E-3120%B8%E0%B8%B53.231533E-3170%B9%E0%B8%E0%B8%B53.231533E-3170%B9%88-3.230415E-3170%B9%E0%B80X0.000000063CD94P-102211.482197E-3230%B9%E0%B80X0.0007FBFFFFCFP-102210.000000E+000%B8%B51.828043E-3210%B9%E0%B80X0P+081.828043E-3210%B80X0P+092.710850E-3120%B80X0.0000000407ED2P-102233.236834E-3170%B8%B19.036536E-3130%B8%E0%B8%9B4.247222E-3140%B80X0P+039.036683E-3130%B8%B02.121996E-3130%B80X0.0000000000008P-1022B2.710850E-3120%B8%B21.482197E-3230%B80X0P+030.000000E+000%B9%E0%B80X0P+0B2.710850E-3120%B9%E0%B9%E0%B8%E0%B80X0.0000000408355P-102232.023693E-3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream"
set action block
next
end
next
end
config webfilter urlfilter
edit 2
set name "block_international_character_urls"
next
end
config webfilter profile
edit "block_international_character_urls"
next
end
config firewall policy
edit 3
set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webfilter-profile "block_international_character_urls"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
Websense web filtering through WISP
WISP is a Websense protocol that allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.
This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a FortiGate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.
When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.
Configuring the WISP server
In order to use WebSense's web filtering service, a WISP server per VDOM must be defined and enabled first.
config web-proxy wisp edit {name} # Configure Wireless Internet service provider (WISP) servers. set name {string} Server name. size[35] set comment {string} Comment. size[255] set outgoing-ip {ipv4 address any} WISP outgoing IP address. set server-ip {ipv4 address any} WISP server IP address. set server-port {integer} WISP server port (1 - 65535, default = 15868). range[1-65535] set max-connections {integer} Maximum number of web proxy WISP connections (4 - 4096, default = 64). range[4-4096] set timeout {integer} Period of time before WISP requests time out (1 - 15 sec, default = 5). range[1-15] next end
Example configuration
config web-proxy wisp
edit 0
set outgoing-ip 0.0.0.0
set server-ip 0.0.0.0
set server-port 15868
set max-connections 64
set timeout 5
next
end
After configuring the WISP server, enable WISP in the web filter profile.
config webfilter profile
edit "wisp_only"
set wisp enable
set wisp-servers 0
next
end
Now you can apply the web filter profile to a firewall policy.
If you configure more than one WISP server, the load balance option can also be configured.
config webfilter profile
edit "wisp_only"
set wisp-algorithm {primary-secondary | round-robin | auto-learning}
next
end
The options for the wisp-algorithm
are:
primary-secondary
: select the first healthy server in orderround-robin
: select the next healthy serverauto-learning
select the lightest loading healthy server