Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.10
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Advanced filters 1

    Advanced filters 1

    This topic gives examples of the following advanced filter features:

    Block malicious URLs discovered by FortiSandbox

    To use this feature, you must be registered to a FortiSandbox and be connected to it.

    This feature blocks malicious URLs that FortiSandbox finds.

    For information on configuring FortiSandbox, see Using FortiSandbox Cloud with antivirus.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
    2. Enable Block malicious URLs discovered by FortiSandbox.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set blacklist enable
        end
    next
end

    Allow websites when a rating error occurs

    If you don't have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard filter, then you'll get a rating error message.

    Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Allow websites when a rating error occurs.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options error-allow
        end
    next
end

    Rate URLs by domain and IP address

    If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for the rating.

    FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiGate.

    For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated as search engine and portals and not rated as government and legal organizations.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Rate URLs by domain and IP address.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options rate-server-ip
        end
    next
end

    Block invalid URLs

    Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.

    For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written as: http://www.example.com/space%20here.html.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
    2. Enable Block invalid URLs .

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        set options block-invalid-url
    next
end

    Rate images by URL

    This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

    This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.

    For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not blocked:

    After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Rate images by URL.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            set rate-image-urls enable
        end
    next
end
    Previous
    Next

    Advanced filters 1

    Advanced filters 1

    This topic gives examples of the following advanced filter features:

    Block malicious URLs discovered by FortiSandbox

    To use this feature, you must be registered to a FortiSandbox and be connected to it.

    This feature blocks malicious URLs that FortiSandbox finds.

    For information on configuring FortiSandbox, see Using FortiSandbox Cloud with antivirus.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
    2. Enable Block malicious URLs discovered by FortiSandbox.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set blacklist enable
        end
    next
end

    Allow websites when a rating error occurs

    If you don't have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard filter, then you'll get a rating error message.

    Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Allow websites when a rating error occurs.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options error-allow
        end
    next
end

    Rate URLs by domain and IP address

    If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for the rating.

    FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiGate.

    For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated as search engine and portals and not rated as government and legal organizations.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Rate URLs by domain and IP address.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options rate-server-ip
        end
    next
end

    Block invalid URLs

    Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.

    For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written as: http://www.example.com/space%20here.html.

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
    2. Enable Block invalid URLs .

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        set options block-invalid-url
    next
end

    Rate images by URL

    This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

    This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.

    For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not blocked:

    After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

    To enable this feature in the GUI:
    1. Go to Security Profiles > Web Filter and go to the Rating Options section.
    2. Enable Rate images by URL.

    To enable this feature in the CLI:
    config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            set rate-image-urls enable
        end
    next
end
    Previous
    Next