Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.16 Administration Guide
    7.0.16
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring a web filter profile

    Configuring a web filter profile

    Web filtering restricts or controls user access to web resources and can be applied to firewall policies using either policy-based or profile-based NGFW mode.

    Note

    The feature set setting (proxy or flow) in the web filter profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based web filter profile must be used with a flow-based firewall policy.

    An SSL inspection profile (such as the certificate-inspection profile) and a web filter profile must both be selected in the associated firewall policy. See SSL & SSH Inspection.

    Some web filter profile options can only be configured in the CLI. See Advanced CLI configuration and the FortiOS CLI Reference for more information.

    To configure a web filter profile:

    1. Go to Security Profiles > Web Filter and click Create New.

    2. Configure the following settings:

      Name

      		 Enter a unique name for the profile.

      Comments

      		 (Optional) Enter a comment.

      Feature set

      Select the feature set for the profile. The feature set mode must match the inspection mode used in the associated firewall policy.

      • Flow-based

      • Proxy-based

      Additional options are available in proxy-based mode and are identified in the GUI with a P icon. See Inspection mode feature comparison.

      If the Feature set option is not visible, enter the following in the CLI:

      config system settings
    set gui-proxy-inspection enable
end

      FortiGuard Category Based Filter

      		 Enable to use the category-based filters from FortiGuard. A default action is assigned to each category, and you can change the action. See FortiGuard filter.

      Category Usage Quota

      		 This option is available in proxy-based mode and can be applied to categories set to Monitor, Warning, and Authenticate. See Category usage quota.

      Allow users to override blocked categories

      		 Enable to allow certain users or user groups to override websites blocked by web filtering profiles for a specified length of time. See Web profile override.

      Groups that can override

      		 Select one or more user groups that can override blocked websites. The user group must be specified as the Source in the firewall policies using this profile.

      Profile Name

      		 Select what web filter profiles can be overridden.

      Switch applies to

      		 Specify whether the override applies to a User, User Group, or IP address. Alternately select Ask to prompt the user to log in to access the web page.

      Switch duration

      		 Select Predefined to specify how many days, hours, and minutes to allow the override. Select Ask to prompt the user to specify how long to allow the override.

      Search Engines

      		 This option is available in proxy-based mode.

      Enfore 'Safe Search' on Google, Yahoo!, Bing, Yandex

      		 This option is available in proxy-based mode. Enable to prevent explicit websites and images from appearing in search results. See Safe search.

      Restrict YouTube Access

      		 This option is available in proxy-based mode. Enable to filter out potentially mature videos. See Restrict YouTube and Vimeo access.

      Log all search keywords

      		 This option is available in proxy-based mode. Enable to log all search phrases. See Log all search keywords.

      Static URL Filter

      Block invalid URLs

      		 Enable to block websites when their SSL certificate CN field lacks a valid domain name. See Block invalid URLs.

      URL Filter

      		 Enable to specify URL patterns and an action for FortiGate to take when matching URL patterns are found in traffic. See URL filter.

      Block malicious URLs discovered by FortiSandbox

      		 Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be connected to a registered FortiSandbox. See Block malicious URLs discovered by FortiSandbox.

      Content Filter

      		 Enable to specify word or patterns to be used to identify and control access to web pages. See Web content filter.

      Rating Options

      Allow websites when a rating error occurs

      		 Enable to allow access to websites that return a rating error from the FortiGuard Web Filter service. See Allow websites when a rating error occurs.

      Rate URLs by domain and IP address

      		 Enable for FortiGate to always send both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for rating. See Rate URLs by domain and IP address.

      Proxy Options

      Restrict Google account usage to specific domains

      		 This option is available in proxy-based mode. Enable to block access to certain Google accounts and services. See Restrict Google account usage to specific domains.

      HTTP POST Action

      		 Enable to specify how to handle HTTP POST traffic. See HTTP POST action.

      Remove Java Applets

      		 This option is available in proxy-based mode. Enable to remove Java applets from web traffic. See Remove Java applets, ActiveX, and cookies.

      Remove ActiveX

      		 This option is available in proxy-based mode. Enable to remove ActiveX from web traffic. See Remove Java applets, ActiveX, and cookies.

      Remove Cookies

      		 Enable to remove cookies from web traffic. See Remove Java applets, ActiveX, and cookies.

    3. Click OK.

    Previous
    Next

    Configuring a web filter profile

    Configuring a web filter profile

    Web filtering restricts or controls user access to web resources and can be applied to firewall policies using either policy-based or profile-based NGFW mode.

    Note

    The feature set setting (proxy or flow) in the web filter profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based web filter profile must be used with a flow-based firewall policy.

    An SSL inspection profile (such as the certificate-inspection profile) and a web filter profile must both be selected in the associated firewall policy. See SSL & SSH Inspection.

    Some web filter profile options can only be configured in the CLI. See Advanced CLI configuration and the FortiOS CLI Reference for more information.

    To configure a web filter profile:

    1. Go to Security Profiles > Web Filter and click Create New.

    2. Configure the following settings:

      Name

      		 Enter a unique name for the profile.

      Comments

      		 (Optional) Enter a comment.

      Feature set

      Select the feature set for the profile. The feature set mode must match the inspection mode used in the associated firewall policy.

      • Flow-based

      • Proxy-based

      Additional options are available in proxy-based mode and are identified in the GUI with a P icon. See Inspection mode feature comparison.

      If the Feature set option is not visible, enter the following in the CLI:

      config system settings
    set gui-proxy-inspection enable
end

      FortiGuard Category Based Filter

      		 Enable to use the category-based filters from FortiGuard. A default action is assigned to each category, and you can change the action. See FortiGuard filter.

      Category Usage Quota

      		 This option is available in proxy-based mode and can be applied to categories set to Monitor, Warning, and Authenticate. See Category usage quota.

      Allow users to override blocked categories

      		 Enable to allow certain users or user groups to override websites blocked by web filtering profiles for a specified length of time. See Web profile override.

      Groups that can override

      		 Select one or more user groups that can override blocked websites. The user group must be specified as the Source in the firewall policies using this profile.

      Profile Name

      		 Select what web filter profiles can be overridden.

      Switch applies to

      		 Specify whether the override applies to a User, User Group, or IP address. Alternately select Ask to prompt the user to log in to access the web page.

      Switch duration

      		 Select Predefined to specify how many days, hours, and minutes to allow the override. Select Ask to prompt the user to specify how long to allow the override.

      Search Engines

      		 This option is available in proxy-based mode.

      Enfore 'Safe Search' on Google, Yahoo!, Bing, Yandex

      		 This option is available in proxy-based mode. Enable to prevent explicit websites and images from appearing in search results. See Safe search.

      Restrict YouTube Access

      		 This option is available in proxy-based mode. Enable to filter out potentially mature videos. See Restrict YouTube and Vimeo access.

      Log all search keywords

      		 This option is available in proxy-based mode. Enable to log all search phrases. See Log all search keywords.

      Static URL Filter

      Block invalid URLs

      		 Enable to block websites when their SSL certificate CN field lacks a valid domain name. See Block invalid URLs.

      URL Filter

      		 Enable to specify URL patterns and an action for FortiGate to take when matching URL patterns are found in traffic. See URL filter.

      Block malicious URLs discovered by FortiSandbox

      		 Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be connected to a registered FortiSandbox. See Block malicious URLs discovered by FortiSandbox.

      Content Filter

      		 Enable to specify word or patterns to be used to identify and control access to web pages. See Web content filter.

      Rating Options

      Allow websites when a rating error occurs

      		 Enable to allow access to websites that return a rating error from the FortiGuard Web Filter service. See Allow websites when a rating error occurs.

      Rate URLs by domain and IP address

      		 Enable for FortiGate to always send both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for rating. See Rate URLs by domain and IP address.

      Proxy Options

      Restrict Google account usage to specific domains

      		 This option is available in proxy-based mode. Enable to block access to certain Google accounts and services. See Restrict Google account usage to specific domains.

      HTTP POST Action

      		 Enable to specify how to handle HTTP POST traffic. See HTTP POST action.

      Remove Java Applets

      		 This option is available in proxy-based mode. Enable to remove Java applets from web traffic. See Remove Java applets, ActiveX, and cookies.

      Remove ActiveX

      		 This option is available in proxy-based mode. Enable to remove ActiveX from web traffic. See Remove Java applets, ActiveX, and cookies.

      Remove Cookies

      		 Enable to remove cookies from web traffic. See Remove Java applets, ActiveX, and cookies.

    3. Click OK.

    Previous
    Next