Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.5 Administration Guide
    6.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Web rating override

    Web rating override

    Web rating overrides allow you to add specific URLs to both FortiGuard and custom web ratings categories.

    In a web filter profile, the action for each category can be configured. See FortiGuard filter for details. A web rating override in a custom category will not impact any web filters until the category's action is changed to Allow, Monitor (default), Block, Warning, or Authenticate in the specific web filter profile's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

    In SSL/SSH inspection profiles, custom categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, custom categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

    Note

    Web rating override requires a FortiGuard license.

    Web filter profiles

    In this example, www.fortinet.com is added to both a custom, or local, category (Seriously) and an external threat feed, or remote, category (OnAworkComputer). The local category action is set to Monitor, while the remote category action is set to Block. When a user browses to www.fortinet.com, the local category action takes precedence over both the remote category and the FortiGuard category (Information Technology), so the Monitor action is taken.

    To create a custom category in the GUI:
    1. Go to Security Profiles > Web Rating Overrides.
    2. Click Custom Categories, then click Create New.
    3. Enter a name for the category, and ensure that the Status is set to Enable.

    4. Click OK.
    To create a web rating override in the GUI:
    1. Go to Security Profiles > Web Rating Overrides and click Create New.
    2. Enter the URL to override.
    3. Optionally, click Lookup rating to see what its current rating is, if it has one.
    4. Select the new Category and Sub-Category for the override.

    5. Click OK.
    To create a new FortiGuard category threat feed in the GUI:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Threat Feeds section, click FortiGuard Category.
    3. Enter a name for the threat feed, such as OnAworkComputer.
    4. Enter the URI of external resource.

    5. Configure the remaining settings as needed, then click OK.

    To use the new categories in a web filter profile in the GUI:
    1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
    2. Enable FortiGuard category based filter

    3. Set the action for the Seriously category in the Local Categories group to Monitor.

    4. Set the action for the OnAworkComputer category in the Remote Categories group to Block.

      Tooltip

      Setting the custom category action to Allow is equivalent to setting the CLI action variable to monitor and log variable to disable.
    5. Configure the remaining settings are required, then click OK.
    To use local and remote categories in a web filter profile in the CLI:
    1. Create the custom category and add a URL to it:
      config vdom
    edit root
        config webfilter ftgd-local-cat
            edit "Seriously"
                set id 140
            next
        end
        config webfilter ftgd-local-rating
            edit "www.fortinet.com"
                set rating 140
            next
        end
    next
end
    2. Create a FortiGuard Category Threat Feed external connector to import an external blocklist.
      config global
    config system external-resource
        edit "OnAworkComputer"
            set category 192
            set resource "https://192.168.0.5/lists/blocklist.txt"
        next
    end
end
    3. Enable the new category in a web filter profile. See FortiGuard filter for details.

      Custom local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.

      config vdom
    edit root
        config webfilter profile
            edit "WebFilter-1"
                set feature-set proxy
                config ftgd-wf
                    unset options
                    config filters
                        edit 12
                            set category 12
                            set action warning
                        next
                        ...
                        edit 23
                            set action warning
                        next
                        edit 140
                            set category 140
                        next
                        edit 192
                            set category 192
                            set action block
                        next
                    end
                end
            next
        end
    next
end

      When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor with logging enabled.

    SSL/SSH inspection profiles

    To use local and remote categories in an SSL/SSH inspection profile to exempt them from SSL inspection in the GUI:
    1. Go to Security Profiles > SSL/SSH Inspection.
    2. Create a new profile or edit an existing one.
    3. Ensure that Inspection method is Full SSL Inspection.
    4. In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list .

    5. Configure the remaining settings as required, then click OK.
    To use local and remote categories in an SSL/SSH inspection profile to exempt them from SSL inspection in the CLI:
    config vdom
    edit root
        config firewall ssl-ssh-profile
            edit "SSL_Inspection"
                config https
                    set ports 443
                    set status deep-inspection
                end
                ...
                config ssl-exempt
                    edit 1
                        set fortiguard-category 140
                    next
                    edit 2
                        set fortiguard-category 192
                    next
                end
            next
        end
    next
end

    Proxy addresses

    To use local and remote categories in a proxy address in the GUI:
    1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
    2. Set Category to Proxy Address.
    3. Set Type to URL Category.
    4. In the URL Category, add the local and remote categories.

    5. Configure the remaining settings as required, then click OK.
    To use local and remote categories in a proxy address in the CLI:
    config vdom
    edit root
        config firewall proxy-address
            edit "proxy_override"
                set type category
                set host "all"
                set category 140 192
                set color 23
            next
        end
    next
end
    Previous
    Next

    Web rating override

    Web rating override

    Web rating overrides allow you to add specific URLs to both FortiGuard and custom web ratings categories.

    In a web filter profile, the action for each category can be configured. See FortiGuard filter for details. A web rating override in a custom category will not impact any web filters until the category's action is changed to Allow, Monitor (default), Block, Warning, or Authenticate in the specific web filter profile's settings. If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

    In SSL/SSH inspection profiles, custom categories must be explicitly selected to be exempt from SSL inspection. In proxy addresses, custom categories must be explicitly selected as URL categories for them to apply. In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

    Note

    Web rating override requires a FortiGuard license.

    Web filter profiles

    In this example, www.fortinet.com is added to both a custom, or local, category (Seriously) and an external threat feed, or remote, category (OnAworkComputer). The local category action is set to Monitor, while the remote category action is set to Block. When a user browses to www.fortinet.com, the local category action takes precedence over both the remote category and the FortiGuard category (Information Technology), so the Monitor action is taken.

    To create a custom category in the GUI:
    1. Go to Security Profiles > Web Rating Overrides.
    2. Click Custom Categories, then click Create New.
    3. Enter a name for the category, and ensure that the Status is set to Enable.

    4. Click OK.
    To create a web rating override in the GUI:
    1. Go to Security Profiles > Web Rating Overrides and click Create New.
    2. Enter the URL to override.
    3. Optionally, click Lookup rating to see what its current rating is, if it has one.
    4. Select the new Category and Sub-Category for the override.

    5. Click OK.
    To create a new FortiGuard category threat feed in the GUI:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Threat Feeds section, click FortiGuard Category.
    3. Enter a name for the threat feed, such as OnAworkComputer.
    4. Enter the URI of external resource.

    5. Configure the remaining settings as needed, then click OK.

    To use the new categories in a web filter profile in the GUI:
    1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
    2. Enable FortiGuard category based filter

    3. Set the action for the Seriously category in the Local Categories group to Monitor.

    4. Set the action for the OnAworkComputer category in the Remote Categories group to Block.

      Tooltip

      Setting the custom category action to Allow is equivalent to setting the CLI action variable to monitor and log variable to disable.
    5. Configure the remaining settings are required, then click OK.
    To use local and remote categories in a web filter profile in the CLI:
    1. Create the custom category and add a URL to it:
      config vdom
    edit root
        config webfilter ftgd-local-cat
            edit "Seriously"
                set id 140
            next
        end
        config webfilter ftgd-local-rating
            edit "www.fortinet.com"
                set rating 140
            next
        end
    next
end
    2. Create a FortiGuard Category Threat Feed external connector to import an external blocklist.
      config global
    config system external-resource
        edit "OnAworkComputer"
            set category 192
            set resource "https://192.168.0.5/lists/blocklist.txt"
        next
    end
end
    3. Enable the new category in a web filter profile. See FortiGuard filter for details.

      Custom local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.

      config vdom
    edit root
        config webfilter profile
            edit "WebFilter-1"
                set feature-set proxy
                config ftgd-wf
                    unset options
                    config filters
                        edit 12
                            set category 12
                            set action warning
                        next
                        ...
                        edit 23
                            set action warning
                        next
                        edit 140
                            set category 140
                        next
                        edit 192
                            set category 192
                            set action block
                        next
                    end
                end
            next
        end
    next
end

      When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor with logging enabled.

    SSL/SSH inspection profiles

    To use local and remote categories in an SSL/SSH inspection profile to exempt them from SSL inspection in the GUI:
    1. Go to Security Profiles > SSL/SSH Inspection.
    2. Create a new profile or edit an existing one.
    3. Ensure that Inspection method is Full SSL Inspection.
    4. In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list .

    5. Configure the remaining settings as required, then click OK.
    To use local and remote categories in an SSL/SSH inspection profile to exempt them from SSL inspection in the CLI:
    config vdom
    edit root
        config firewall ssl-ssh-profile
            edit "SSL_Inspection"
                config https
                    set ports 443
                    set status deep-inspection
                end
                ...
                config ssl-exempt
                    edit 1
                        set fortiguard-category 140
                    next
                    edit 2
                        set fortiguard-category 192
                    next
                end
            next
        end
    next
end

    Proxy addresses

    To use local and remote categories in a proxy address in the GUI:
    1. Go to Policy & Objects > Addresses and click Create New > Address, or edit an existing proxy address.
    2. Set Category to Proxy Address.
    3. Set Type to URL Category.
    4. In the URL Category, add the local and remote categories.

    5. Configure the remaining settings as required, then click OK.
    To use local and remote categories in a proxy address in the CLI:
    config vdom
    edit root
        config firewall proxy-address
            edit "proxy_override"
                set type category
                set host "all"
                set category 140 192
                set color 23
            next
        end
    next
end
    Previous
    Next