Fortinet black logo

Cookbook

URL filter

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:615462
Download PDF

URL filter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
  2. Enable URL Filter.

  3. Under URL Filter, select Create New to display the New URL Filter pane.

    URL Filter Type

    Description

    Simple

    FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won't match facebook.com or message.facebook.com.

    When FortiGate finds a match, it performs the selected URL Action.

    Regular Expression or Wildcard

    FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, etc.

    When FortiGate finds a match, it performs the selected URL Action.

    For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

    URL Filter Action

    Description

    Block

    Denies or blocks attempts to access any URL matching the URL pattern. FortiGate displays a replacement message.

    Allow

    The traffic is passed to the remaining FortiGuard webfilters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted.

    Monitor

    The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established.

    Exempt

    The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters, web script filters, antivirus scanning, and DLP proxy operations

  4. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter
   edit {id}
   # Configure URL filter lists.
      set name {string}   Name of URL filter list. size[35]
      config entries
         edit {id}
         # URL filter entries.
            set url {string}   URL to be filtered. size[511]
            set type {simple | regex | wildcard}  Filter type (simple, regex, or wildcard).
                    simple    Simple URL string.
                    regex     Regular expression URL string.
                    wildcard  Wildcard URL string.
            set action {exempt | block | allow | monitor}  Action to take for URL filter matches.
                    exempt   Exempt matches.
                    block    Block matches.
                    allow    Allow matches (no log).
                    monitor  Allow matches (with log).
            set status {enable | disable}   Enable/disable this URL filter.
            set exempt {option}   If action is set to exempt, select the security profile operations that exempt URLs skip. Separate multiple options with a space.
                    av                   AntiVirus scanning.
                    web-content          Web Filter content matching.
                    activex-java-cookie  ActiveX, Java, and cookie filtering.
                    dlp                  DLP scanning.
                    fortiguard           FortiGuard web filter.
                    range-block          Range block feature.
                    pass                 Pass single connection from all.
                    all                  Exempt from all security profiles.
            set referrer-host {string}   Referrer host name. size[255]
         next
   next
end
To create URL filter to filter Facebook using the CLI:
config webfilter urlfilter
    edit 1
        set name "webfilter"
        config entries
            edit 1
                set url "*facebook.com"
                set type wildcard
                set action block
            next
        end
    next
end
To attach the URL filter to a webfilter profile:
config webfilter profile
    edit "webfilter"               <-- the name of the webfilter profile 
        config web
            set urlfilter-table 1  <-- the URL filter created with ID number 1
        end
        config ftgd-wf
            unset options
        end
    next
end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Edit the policy that you want to enable the webfilter.
  3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:
config firewall policy
    edit 1
        set name "WF"
        set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter"    <-- attach the webfilter profile you just created. 
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:
  1. Go to System > Replacement Messages.
  2. Go to the Security section and select URL Block Page.
  3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:
  1. Go to Log & Report > Web Filter.

  2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the URL filter.
To check webfilter logs in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="vdom1" eventtime=1555958923322174610 urlfilteridx=0 urlsource="Local URLfilter Block" policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf="wan2" srcintfrole="wan" dstip=157.240.18.35 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="www.facebook.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=1171 rcvdbyte=141 direction="outgoing" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"

URL filter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
  2. Enable URL Filter.

  3. Under URL Filter, select Create New to display the New URL Filter pane.

    URL Filter Type

    Description

    Simple

    FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won't match facebook.com or message.facebook.com.

    When FortiGate finds a match, it performs the selected URL Action.

    Regular Expression or Wildcard

    FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, etc.

    When FortiGate finds a match, it performs the selected URL Action.

    For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

    URL Filter Action

    Description

    Block

    Denies or blocks attempts to access any URL matching the URL pattern. FortiGate displays a replacement message.

    Allow

    The traffic is passed to the remaining FortiGuard webfilters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted.

    Monitor

    The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established.

    Exempt

    The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters, web script filters, antivirus scanning, and DLP proxy operations

  4. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter
   edit {id}
   # Configure URL filter lists.
      set name {string}   Name of URL filter list. size[35]
      config entries
         edit {id}
         # URL filter entries.
            set url {string}   URL to be filtered. size[511]
            set type {simple | regex | wildcard}  Filter type (simple, regex, or wildcard).
                    simple    Simple URL string.
                    regex     Regular expression URL string.
                    wildcard  Wildcard URL string.
            set action {exempt | block | allow | monitor}  Action to take for URL filter matches.
                    exempt   Exempt matches.
                    block    Block matches.
                    allow    Allow matches (no log).
                    monitor  Allow matches (with log).
            set status {enable | disable}   Enable/disable this URL filter.
            set exempt {option}   If action is set to exempt, select the security profile operations that exempt URLs skip. Separate multiple options with a space.
                    av                   AntiVirus scanning.
                    web-content          Web Filter content matching.
                    activex-java-cookie  ActiveX, Java, and cookie filtering.
                    dlp                  DLP scanning.
                    fortiguard           FortiGuard web filter.
                    range-block          Range block feature.
                    pass                 Pass single connection from all.
                    all                  Exempt from all security profiles.
            set referrer-host {string}   Referrer host name. size[255]
         next
   next
end
To create URL filter to filter Facebook using the CLI:
config webfilter urlfilter
    edit 1
        set name "webfilter"
        config entries
            edit 1
                set url "*facebook.com"
                set type wildcard
                set action block
            next
        end
    next
end
To attach the URL filter to a webfilter profile:
config webfilter profile
    edit "webfilter"               <-- the name of the webfilter profile 
        config web
            set urlfilter-table 1  <-- the URL filter created with ID number 1
        end
        config ftgd-wf
            unset options
        end
    next
end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Edit the policy that you want to enable the webfilter.
  3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:
config firewall policy
    edit 1
        set name "WF"
        set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter"    <-- attach the webfilter profile you just created. 
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:
  1. Go to System > Replacement Messages.
  2. Go to the Security section and select URL Block Page.
  3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:
  1. Go to Log & Report > Web Filter.

  2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the URL filter.
To check webfilter logs in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="vdom1" eventtime=1555958923322174610 urlfilteridx=0 urlsource="Local URLfilter Block" policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf="wan2" srcintfrole="wan" dstip=157.240.18.35 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="www.facebook.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=1171 rcvdbyte=141 direction="outgoing" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"