Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

URL filtering

Best practices for URL filtering can be divided into categories: flow-based versus proxy based filtering, local category/rating feature, and URL filter ‘Exempt’ action.

Flow-based versus proxy-based

Try to avoid mixing flow-based and proxy-based features in the same profile if you are not using IPS or Application Control.

Local category/rating feature

Local categories and local rating features consume a large amount of CPU resources, so use these features as little as possible. It is better to use Local categories instead of using the ‘override’ feature, since the ‘override’ feature is more complicated and more difficult to troubleshoot.

URL filter ‘Exempt’ action

When using the URL filter ‘Exempt’ option, webfilter, antivirus and dlp scans are bypassed by default, so use this option only for trusted sites.

Configuration notes: You need to configure ‘Exempt’ actions in the URL filter if you want to bypass the FortiGuard Web Filter. You can configure which particular inspection(s) you want to bypass using the set exempt command for an entry under config webfilter urlfilter. See the FortiOS CLI Reference for details.

URL filtering

Best practices for URL filtering can be divided into categories: flow-based versus proxy based filtering, local category/rating feature, and URL filter ‘Exempt’ action.

Flow-based versus proxy-based

Try to avoid mixing flow-based and proxy-based features in the same profile if you are not using IPS or Application Control.

Local category/rating feature

Local categories and local rating features consume a large amount of CPU resources, so use these features as little as possible. It is better to use Local categories instead of using the ‘override’ feature, since the ‘override’ feature is more complicated and more difficult to troubleshoot.

URL filter ‘Exempt’ action

When using the URL filter ‘Exempt’ option, webfilter, antivirus and dlp scans are bypassed by default, so use this option only for trusted sites.

Configuration notes: You need to configure ‘Exempt’ actions in the URL filter if you want to bypass the FortiGuard Web Filter. You can configure which particular inspection(s) you want to bypass using the set exempt command for an entry under config webfilter urlfilter. See the FortiOS CLI Reference for details.