Fortinet Document Library

Version:


Table of Contents

More Links

Web Filter Categories
FortiGuard filter
SSL & SSH Inspection
Proxy policy addresses

New Features

6.4.0
Download PDF
Copy Link

Explicitly enable custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses 6.4.2

In all web filter profiles, local and remote categories must be manually enabled.

When a new threat feed connector or web rating overrides in a custom category are created, they will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

In SSL/SSH inspection profiles, local and remote categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, local and remote categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Web filter profiles

In this example, www.fortinet.com is added to both a custom, or local, category (Seriously) and an external threat feed, or remote, category (OnAworkComputer). The local category action is set to Monitor, while the remote category action is set to Block. When a user browses to www.fortinet.com, the local category action takes precedence over both the remote category and the FortiGuard category (Information Technology), so the Monitor action is taken.

To use local and remote categories in a web filter profile in the GUI:
  1. Go to Security Profiles > Web Rating Overrides and create a custom category and add URLs to it. See Web rating override for details.

  2. Go to Security Fabric > External Connectors and create a FortiGuard Category Threat Feed external connector to import an external blocklist.

  3. Go to Security Profiles > Web Filter and create or edit a web filter profile.
  4. Set Feature set to Proxy-based.
  5. Enable FortiGuard category based filter and change the action for the Local Categories and Remote Categories entries as needed. See FortiGuard filter for details.
    Tooltip

    When the action for a local or remote category is Allow, the category is disabled. The next category's action, in the order of preference, will be applied.

  6. Configure the remaining settings as required.
  7. Click OK.
To use local and remote categories in a web filter profile in the CLI:
  1. Create a custom category and add URLs to it. See Web rating override for details.
    config vdom
        edit root
            config webfilter ftgd-local-cat
                edit "Seriously"
                    set id 140
                next
            end
            config webfilter ftgd-local-rating
                edit "www.fortinet.com"
                    set rating 140
                next
            end
        next
    end
  2. Create a FortiGuard Category Threat Feed external connector to import an external blocklist:
    config global
        config system external-resource
            edit "OnAworkComputer"
                set category 192
                set resource "https://192.168.0.5/lists/blocklist.txt"
            next
        end
    end
  3. Create or edit a web filter profile. See FortiGuard filter for details.

    Local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.

    config vdom
        edit root
            config webfilter profile
                edit "WebFilter-1"
                    set feature-set proxy
                    config ftgd-wf
                        unset options
                        config filters
                            edit 12
                                set category 12
                                set action warning
                            next
                            ...
                            edit 23
                                set action warning
                            next
                            edit 140
                                set category 140
                            next
                            edit 192
                                set category 192
                                set action block
                            next
                        end
                    end
                next
            end
        next
    end

    When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor.

SSL/SSH inspection profiles

To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new profile or edit an existing one.
  3. Ensure that Inspection method is Full SSL Inspection.
  4. In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list .

  5. Configure the remaining settings as required, then click OK.
To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection in the CLI:
config firewall ssl-ssh-profile
    edit "SSL_Inspection"
        config https
            set ports 443
            set status deep-inspection
        end
        ...
        config ssl-exempt
            edit 1
                set fortiguard-category 140
            next
            edit 2
                set fortiguard-category 194
            next
        end
    next
end

Proxy addresses

To use local and remote categories in a proxy address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
  2. Set Category to Proxy Address.
  3. Set Type to URL Category.
  4. In the URL Category, add the local and remote categories.

  5. Configure the remaining settings as required, then click OK.
To use local and remote categories in a proxy address in the CLI:
config firewall proxy-address
    edit "proxy_override"
        set type category
        set host "all"
        set category 140 194
        set color 23
    next
end

More Links

Explicitly enable custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses 6.4.2

In all web filter profiles, local and remote categories must be manually enabled.

When a new threat feed connector or web rating overrides in a custom category are created, they will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

In SSL/SSH inspection profiles, local and remote categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, local and remote categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Web filter profiles

In this example, www.fortinet.com is added to both a custom, or local, category (Seriously) and an external threat feed, or remote, category (OnAworkComputer). The local category action is set to Monitor, while the remote category action is set to Block. When a user browses to www.fortinet.com, the local category action takes precedence over both the remote category and the FortiGuard category (Information Technology), so the Monitor action is taken.

To use local and remote categories in a web filter profile in the GUI:
  1. Go to Security Profiles > Web Rating Overrides and create a custom category and add URLs to it. See Web rating override for details.

  2. Go to Security Fabric > External Connectors and create a FortiGuard Category Threat Feed external connector to import an external blocklist.

  3. Go to Security Profiles > Web Filter and create or edit a web filter profile.
  4. Set Feature set to Proxy-based.
  5. Enable FortiGuard category based filter and change the action for the Local Categories and Remote Categories entries as needed. See FortiGuard filter for details.
    Tooltip

    When the action for a local or remote category is Allow, the category is disabled. The next category's action, in the order of preference, will be applied.

  6. Configure the remaining settings as required.
  7. Click OK.
To use local and remote categories in a web filter profile in the CLI:
  1. Create a custom category and add URLs to it. See Web rating override for details.
    config vdom
        edit root
            config webfilter ftgd-local-cat
                edit "Seriously"
                    set id 140
                next
            end
            config webfilter ftgd-local-rating
                edit "www.fortinet.com"
                    set rating 140
                next
            end
        next
    end
  2. Create a FortiGuard Category Threat Feed external connector to import an external blocklist:
    config global
        config system external-resource
            edit "OnAworkComputer"
                set category 192
                set resource "https://192.168.0.5/lists/blocklist.txt"
            next
        end
    end
  3. Create or edit a web filter profile. See FortiGuard filter for details.

    Local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.

    config vdom
        edit root
            config webfilter profile
                edit "WebFilter-1"
                    set feature-set proxy
                    config ftgd-wf
                        unset options
                        config filters
                            edit 12
                                set category 12
                                set action warning
                            next
                            ...
                            edit 23
                                set action warning
                            next
                            edit 140
                                set category 140
                            next
                            edit 192
                                set category 192
                                set action block
                            next
                        end
                    end
                next
            end
        next
    end

    When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor.

SSL/SSH inspection profiles

To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new profile or edit an existing one.
  3. Ensure that Inspection method is Full SSL Inspection.
  4. In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list .

  5. Configure the remaining settings as required, then click OK.
To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection in the CLI:
config firewall ssl-ssh-profile
    edit "SSL_Inspection"
        config https
            set ports 443
            set status deep-inspection
        end
        ...
        config ssl-exempt
            edit 1
                set fortiguard-category 140
            next
            edit 2
                set fortiguard-category 194
            next
        end
    next
end

Proxy addresses

To use local and remote categories in a proxy address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
  2. Set Category to Proxy Address.
  3. Set Type to URL Category.
  4. In the URL Category, add the local and remote categories.

  5. Configure the remaining settings as required, then click OK.
To use local and remote categories in a proxy address in the CLI:
config firewall proxy-address
    edit "proxy_override"
        set type category
        set host "all"
        set category 140 194
        set color 23
    next
end