Fortinet Document Library

Version:

Version:

Version:


Table of Contents

More Links

Threat feeds
FortiGuard filter

Administration Guide

Download PDF
Copy Link

Web rating override

Web rating overrides allow you to add specific URLs to both FortiGuard and custom web ratings categories.

In a web filter profile, the action for each category can be configured. See FortiGuard filter for details. A web rating override in a custom category will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter profile's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

In SSL/SSH inspection profiles, custom categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, custom categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Note

Web rating override requires a FortiGuard license.

In this example, www.fortinet.com is added to the a new custom category called Seriously. The Seriously category action is set to Monitor in a web filter profile, overriding the action applied to the Information Technology category and to any remote categories that also contain the URL. The category is also added to a proxy address, and used in an SSL/SSH inspection profile to exempt it from SSL inspection.

To create a custom category in the GUI:
  1. Go to Security Profiles > Web Rating Overrides.
  2. Click Custom Categories, then click Create New.
  3. Enter a name for the category, and adjust the Status as needed.

  4. Click OK.
To create a new web rating override and add it to a category in the GUI:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.
  2. Enter the URL to override.
  3. Optionally, click Lookup rating to see what its current rating is, if it has one.
  4. Select the new Category and Sub-Category for the override.

  5. Click OK.
To use the new category in a web filter profile in the GUI:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter and change the action for the Seriously category in the Local Categories group to Monitor.

    Note

    When the action for a custom category is Allow, the category is disabled. The next category's action in the order of preference will be applied.

  3. Configure the remaining settings are required, then click OK.
To create a custom category, add an override to it, and use it in a web filter profile in the CLI:
  1. Create the custom category and add a URL to it.
    config vdom
        edit root
            config webfilter ftgd-local-cat
                edit "Seriously"
                    set id 140
                next
            end
            config webfilter ftgd-local-rating
                edit "www.fortinet.com"
                    set rating 140
                next
            end
        next
    end
  2. Enable the new category in a web filter profile. See FortiGuard filter for details.

    Custom local categories have an ID range of 140 to 191.

    config vdom
        edit root
            config webfilter profile
                edit "WebFilter-1"
                    set feature-set proxy
                    config ftgd-wf
                        unset options
                        config filters
                            edit 12
                                set category 12
                                set action warning
                            next
                            ...
                            edit 140
                                set category 140
                            next
                            ...
                        end
                    end
                next
            end
        next
    end

    When a filter is added for the custom category (140 in this example), the default action is monitor.

To use the custom category in an SSL/SSH inspection profile to exempt it from SSL inspection in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new profile or edit an existing one.
  3. Ensure that Inspection method is Full SSL Inspection.
  4. In the Exempt from SSL Inspection section, add the local category to the Web categories list .

  5. Configure the remaining settings as required, then click OK.
To use the custom category in an SSL/SSH inspection profile to exempt it from SSL inspection in the CLI:
config firewall ssl-ssh-profile
    edit "SSL_Inspection"
        config https
            set ports 443
            set status deep-inspection
        end
        ...
        config ssl-exempt
            edit 1
                set fortiguard-category 140
            next
        end
    next
end
To use the custom category in a proxy address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
  2. Set Category to Proxy Address.
  3. Set Type to URL Category.
  4. In the URL Category, add the custom category.

  5. Configure the remaining settings as required, then click OK.
To use the custom category in a proxy address in the CLI:
config firewall proxy-address
    edit "proxy_override"
        set type category
        set host "all"
        set category 140 194
        set color 23
    next
end

More Links

Web rating override

Web rating overrides allow you to add specific URLs to both FortiGuard and custom web ratings categories.

In a web filter profile, the action for each category can be configured. See FortiGuard filter for details. A web rating override in a custom category will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter profile's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

In SSL/SSH inspection profiles, custom categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, custom categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Note

Web rating override requires a FortiGuard license.

In this example, www.fortinet.com is added to the a new custom category called Seriously. The Seriously category action is set to Monitor in a web filter profile, overriding the action applied to the Information Technology category and to any remote categories that also contain the URL. The category is also added to a proxy address, and used in an SSL/SSH inspection profile to exempt it from SSL inspection.

To create a custom category in the GUI:
  1. Go to Security Profiles > Web Rating Overrides.
  2. Click Custom Categories, then click Create New.
  3. Enter a name for the category, and adjust the Status as needed.

  4. Click OK.
To create a new web rating override and add it to a category in the GUI:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.
  2. Enter the URL to override.
  3. Optionally, click Lookup rating to see what its current rating is, if it has one.
  4. Select the new Category and Sub-Category for the override.

  5. Click OK.
To use the new category in a web filter profile in the GUI:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter and change the action for the Seriously category in the Local Categories group to Monitor.

    Note

    When the action for a custom category is Allow, the category is disabled. The next category's action in the order of preference will be applied.

  3. Configure the remaining settings are required, then click OK.
To create a custom category, add an override to it, and use it in a web filter profile in the CLI:
  1. Create the custom category and add a URL to it.
    config vdom
        edit root
            config webfilter ftgd-local-cat
                edit "Seriously"
                    set id 140
                next
            end
            config webfilter ftgd-local-rating
                edit "www.fortinet.com"
                    set rating 140
                next
            end
        next
    end
  2. Enable the new category in a web filter profile. See FortiGuard filter for details.

    Custom local categories have an ID range of 140 to 191.

    config vdom
        edit root
            config webfilter profile
                edit "WebFilter-1"
                    set feature-set proxy
                    config ftgd-wf
                        unset options
                        config filters
                            edit 12
                                set category 12
                                set action warning
                            next
                            ...
                            edit 140
                                set category 140
                            next
                            ...
                        end
                    end
                next
            end
        next
    end

    When a filter is added for the custom category (140 in this example), the default action is monitor.

To use the custom category in an SSL/SSH inspection profile to exempt it from SSL inspection in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.
  2. Create a new profile or edit an existing one.
  3. Ensure that Inspection method is Full SSL Inspection.
  4. In the Exempt from SSL Inspection section, add the local category to the Web categories list .

  5. Configure the remaining settings as required, then click OK.
To use the custom category in an SSL/SSH inspection profile to exempt it from SSL inspection in the CLI:
config firewall ssl-ssh-profile
    edit "SSL_Inspection"
        config https
            set ports 443
            set status deep-inspection
        end
        ...
        config ssl-exempt
            edit 1
                set fortiguard-category 140
            next
        end
    next
end
To use the custom category in a proxy address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
  2. Set Category to Proxy Address.
  3. Set Type to URL Category.
  4. In the URL Category, add the custom category.

  5. Configure the remaining settings as required, then click OK.
To use the custom category in a proxy address in the CLI:
config firewall proxy-address
    edit "proxy_override"
        set type category
        set host "all"
        set category 140 194
        set color 23
    next
end