Fortinet black logo

Cookbook

Advanced filters 2

Advanced filters 2

This topic gives examples of the following advanced filter features:

Note

These advanced filters are only available when inspection mode is Proxy.

Safe search

This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.

Supported search sites are:

  • Google
  • Yahoo
  • Bing
  • Yandex
To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set safe-search url
        end
    next
end

YouTube education filters

Use these features to limit users' access to YouTube channels, such as in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and Chromebooks..

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Restrict YouTube Access and select Strict or Moderate.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set youtube-restrict strict
        end
    next
end

YouTube channel filtering

This Web Filter feature is also called Restrict YouTube access to specific channels. Use this feature to block or only allow matching YouTube channels.

The following identifiers are used:

given <channel-id>, affect on:

www.youtube.com/channel/<channel-id>

www.youtube.com/user/<user-id>

matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">

www.youtube.com/watch?v=<string>

matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Enable Restrict YouTube access to specific channels.

  3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.

  4. Select OK and the option shows the Channel ID and its Link.

To enable this feature in the CLI:
config webfilter profile
   edit "webfilter"
      set youtube-channel-status whitelist
      config youtube-channel-filter
         edit 1
            set channel-id "UCGzuiiLdQZu9wxDNJHO_JnA"
         next
      end
   next
end

Where:

  • whitelist: only allow the traffic belongs to this channel id and relative identifiers.
  • blacklist: only block the traffic belongs to this channel id and relative identifiers and allow the other traffic pass

Log all search keywords

Use this feature to log all search phrases.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Log all search keywords.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

Restrict Google account usage to specific domains

Use this feature to block access to some Google accounts and services while allowing access to accounts in the domains in the exception list.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Enable Restrict Google account usage to specific domains.

  3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST Action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading to a web server.

The action options are Allow or Block. The default is Allow.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. For HTTP POST Action, select Allow or Block.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        set post-action [normal/block]
        config ftgd-wf
            unset options
        end
    next
end

Remove Java applets, remove ActiveX, and remove cookies

The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function properly if you enable this filter.

The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly with if you enable this filter.

The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you enable this filter.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

To enable this feature in the CLI:
config webfilter profile
   edit "webfilter"
      set options activexfilter cookiefilter javafilter <-- enable one or more of activexfilter cookiefilter javafilter. 
      config ftgd-wf
         unset options
      end
   next
end

Advanced filters 2

Advanced filters 2

This topic gives examples of the following advanced filter features:

Note

These advanced filters are only available when inspection mode is Proxy.

Safe search

This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.

Supported search sites are:

  • Google
  • Yahoo
  • Bing
  • Yandex
To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set safe-search url
        end
    next
end

YouTube education filters

Use these features to limit users' access to YouTube channels, such as in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and Chromebooks..

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Restrict YouTube Access and select Strict or Moderate.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set youtube-restrict strict
        end
    next
end

YouTube channel filtering

This Web Filter feature is also called Restrict YouTube access to specific channels. Use this feature to block or only allow matching YouTube channels.

The following identifiers are used:

given <channel-id>, affect on:

www.youtube.com/channel/<channel-id>

www.youtube.com/user/<user-id>

matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">

www.youtube.com/watch?v=<string>

matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Enable Restrict YouTube access to specific channels.

  3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.

  4. Select OK and the option shows the Channel ID and its Link.

To enable this feature in the CLI:
config webfilter profile
   edit "webfilter"
      set youtube-channel-status whitelist
      config youtube-channel-filter
         edit 1
            set channel-id "UCGzuiiLdQZu9wxDNJHO_JnA"
         next
      end
   next
end

Where:

  • whitelist: only allow the traffic belongs to this channel id and relative identifiers.
  • blacklist: only block the traffic belongs to this channel id and relative identifiers and allow the other traffic pass

Log all search keywords

Use this feature to log all search phrases.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Search Engines section.
  2. Enable Log all search keywords.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

Restrict Google account usage to specific domains

Use this feature to block access to some Google accounts and services while allowing access to accounts in the domains in the exception list.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Enable Restrict Google account usage to specific domains.

  3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST Action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading to a web server.

The action options are Allow or Block. The default is Allow.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. For HTTP POST Action, select Allow or Block.

To enable this feature in the CLI:
config webfilter profile
    edit "webfilter"
        set post-action [normal/block]
        config ftgd-wf
            unset options
        end
    next
end

Remove Java applets, remove ActiveX, and remove cookies

The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function properly if you enable this filter.

The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly with if you enable this filter.

The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you enable this filter.

To enable this feature in the GUI:
  1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
  2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

To enable this feature in the CLI:
config webfilter profile
   edit "webfilter"
      set options activexfilter cookiefilter javafilter <-- enable one or more of activexfilter cookiefilter javafilter. 
      config ftgd-wf
         unset options
      end
   next
end