Fortinet black logo

Administration Guide

Web rating override

Web rating overrides allow you to apply a category override to a URL. This overrides the original FortiGuard category for the URL with either a different FortiGuard category, a custom local category, or a threat feed remote category.

If a URL is in multiple active categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Note

Web rating override requires a FortiGuard license.

To create a FortiGuard category override:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. Optionally, click Lookup rating to see what its current rating is, if it has one.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To create a custom local category override:
  1. Create a custom category :

    1. Go to Security Profiles > Web Rating Overrides.

    2. Click Custom Categories, then click Create New.

    3. Enter a name for the category, and ensure that the Status is set to Enable.

    4. Click OK.

  2. Create a web rating override:

    1. Go to Security Profiles > Web Rating Overrides and click Create New.

    2. Enter the URL to override.

    3. Set Category to Custom Categories and set Sub-Category to the custom category that was just created.

    4. Click OK.

To create a thread feed remote category override:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.
  3. Enter a name for the threat feed. This will also be the name of the remote category.
  4. Enter the URI of external resource that contains the list of URLs that will be overridden in this remote category.
  5. Configure the remaining settings as needed, then click OK.

Sub-category actions

After configuring category override rules, an override category must be active in a web filter profile for it to take effect. Whether a category is active or not depends on the override method and action:

Override method

Active category actions

Inactive category actions

FortiGuard categories

Monitor, Block, Warning, or Authenticate

Allow

Local categories

Allow, Monitor, Block, Warning, or Authenticate

Disable*

Remote categories

Allow, Monitor, Block, Warning, or Authenticate

Disable*

*The Disable action is only available for local and remote categories by right clicking on the sub-category.

The Allow action in the GUI is different for FortiGuard categories compared to local and remote categories.

For local and remote categories, the Allow action in the GUI corresponds to the monitor action with logging disabled in the CLI:

config webfilter profile
    edit <profile>
        config ftgd-wf
            config filters
                edit 142
                    set category 142
                    set action monitor
                    set log disable
                next
            end
        end
    next
end

For FortiGuard categories, the Allow action in the GUI corresponds to no entry in the CLI:

The Internet Radio and TV sub-category has ID number 75.

config webfilter profile
    edit <profile>
        config ftgd-wf
            config filters
            end
        end
    next
end

This means that a FortiGuard category with the Allow action applied is effectively inactive, as there is no actual action specified in the CLI.

Example 1: Override a FortiGuard category with another FortiGuard category

In this example, play.google.com is overridden from its original category, Freeware and Software Download (19), to the Advertising category (17). In the web filter profile, the Advertising category is set to Block and the Freeware and Software Download category is set to Allow.

To configure a FortiGuard web rating override:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL: play.google.com.

  3. Optionally, click Lookup rating to see what its current rating is.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the Advertising category in the General Interest - Personal group to Block.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Allow.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be blocked by the category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=16:43:31 eventtime=1663803811966781540 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=891040 srcip=192.168.2.8 srcport=50318 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="blocked" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=17 catdesc="Advertising"

Example 2: Override a FortiGuard category with a remote category

In this example, play.google.com is added to an external URL category list and applied to a threat feed. In the web filter profile, the remote category is set to Allow, and the original FortiGuard category (Freeware and Software Download) is set to Block. Remote categories take precedence over FortiGuard categories, so the override action for the remote category will apply.

Delete the web rating override entry from example 1 for play.google.com before configuring this example.

To configure a FortiGuard threat feed for remote category override:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Enter a name for the threat feed, such as Custom-Remote-FGD. This will be the name of the remote category.

  4. Enter the URI of external resource that contains the list of URLs that will be overridden to this remote category. This list will contain one entry for play.google.com.

  5. Configure the remaining settings as needed, then click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the Custom-Remote-FGD category in the Remote Categories group to Allow.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the remote category override.

  2. No logs are recorded because the Allow action is selected.

Example 3 - Override a FortiGuard category with a custom local category

In this example, play.google.com is added to a custom local category. that is set to Monitor in the web filter profile. Local custom categories take precedence over both remote and FortiGuard categories, so the override action for the local category will apply.

To create a custom local category override:
  1. Go to Security Profiles > Web Rating Overrides.

  2. Click Custom Categories, then click Create New.

  3. Enter a name for the category, such as myCustomCategory, and ensure the Status is set to Enable.

  4. Click OK.

To create a web rating override for the custom local category:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. For Category, select Custom Categories and for Sub-Category select myCustomCategory.

  4. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the myCustomCategory category in the LocalCategories group to Monitor.

  4. The other actions can be left as they were at the end of example 2, Custom-Remote-FGD set to Allow and Freeware and Software Download set to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the local category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=17:17:00 eventtime=1663805820486294353 tz="-0700" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=2 sessionid=893147 srcip=192.168.2.8 srcport=50417 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="passthrough" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=142 catdesc="myCustomCategory"

Web rating overrides allow you to apply a category override to a URL. This overrides the original FortiGuard category for the URL with either a different FortiGuard category, a custom local category, or a threat feed remote category.

If a URL is in multiple active categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

Note

Web rating override requires a FortiGuard license.

To create a FortiGuard category override:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. Optionally, click Lookup rating to see what its current rating is, if it has one.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To create a custom local category override:
  1. Create a custom category :

    1. Go to Security Profiles > Web Rating Overrides.

    2. Click Custom Categories, then click Create New.

    3. Enter a name for the category, and ensure that the Status is set to Enable.

    4. Click OK.

  2. Create a web rating override:

    1. Go to Security Profiles > Web Rating Overrides and click Create New.

    2. Enter the URL to override.

    3. Set Category to Custom Categories and set Sub-Category to the custom category that was just created.

    4. Click OK.

To create a thread feed remote category override:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.
  3. Enter a name for the threat feed. This will also be the name of the remote category.
  4. Enter the URI of external resource that contains the list of URLs that will be overridden in this remote category.
  5. Configure the remaining settings as needed, then click OK.

Sub-category actions

After configuring category override rules, an override category must be active in a web filter profile for it to take effect. Whether a category is active or not depends on the override method and action:

Override method

Active category actions

Inactive category actions

FortiGuard categories

Monitor, Block, Warning, or Authenticate

Allow

Local categories

Allow, Monitor, Block, Warning, or Authenticate

Disable*

Remote categories

Allow, Monitor, Block, Warning, or Authenticate

Disable*

*The Disable action is only available for local and remote categories by right clicking on the sub-category.

The Allow action in the GUI is different for FortiGuard categories compared to local and remote categories.

For local and remote categories, the Allow action in the GUI corresponds to the monitor action with logging disabled in the CLI:

config webfilter profile
    edit <profile>
        config ftgd-wf
            config filters
                edit 142
                    set category 142
                    set action monitor
                    set log disable
                next
            end
        end
    next
end

For FortiGuard categories, the Allow action in the GUI corresponds to no entry in the CLI:

The Internet Radio and TV sub-category has ID number 75.

config webfilter profile
    edit <profile>
        config ftgd-wf
            config filters
            end
        end
    next
end

This means that a FortiGuard category with the Allow action applied is effectively inactive, as there is no actual action specified in the CLI.

Example 1: Override a FortiGuard category with another FortiGuard category

In this example, play.google.com is overridden from its original category, Freeware and Software Download (19), to the Advertising category (17). In the web filter profile, the Advertising category is set to Block and the Freeware and Software Download category is set to Allow.

To configure a FortiGuard web rating override:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL: play.google.com.

  3. Optionally, click Lookup rating to see what its current rating is.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the Advertising category in the General Interest - Personal group to Block.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Allow.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be blocked by the category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=16:43:31 eventtime=1663803811966781540 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=891040 srcip=192.168.2.8 srcport=50318 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="blocked" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=17 catdesc="Advertising"

Example 2: Override a FortiGuard category with a remote category

In this example, play.google.com is added to an external URL category list and applied to a threat feed. In the web filter profile, the remote category is set to Allow, and the original FortiGuard category (Freeware and Software Download) is set to Block. Remote categories take precedence over FortiGuard categories, so the override action for the remote category will apply.

Delete the web rating override entry from example 1 for play.google.com before configuring this example.

To configure a FortiGuard threat feed for remote category override:
  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Enter a name for the threat feed, such as Custom-Remote-FGD. This will be the name of the remote category.

  4. Enter the URI of external resource that contains the list of URLs that will be overridden to this remote category. This list will contain one entry for play.google.com.

  5. Configure the remaining settings as needed, then click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the Custom-Remote-FGD category in the Remote Categories group to Allow.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the remote category override.

  2. No logs are recorded because the Allow action is selected.

Example 3 - Override a FortiGuard category with a custom local category

In this example, play.google.com is added to a custom local category. that is set to Monitor in the web filter profile. Local custom categories take precedence over both remote and FortiGuard categories, so the override action for the local category will apply.

To create a custom local category override:
  1. Go to Security Profiles > Web Rating Overrides.

  2. Click Custom Categories, then click Create New.

  3. Enter a name for the category, such as myCustomCategory, and ensure the Status is set to Enable.

  4. Click OK.

To create a web rating override for the custom local category:
  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. For Category, select Custom Categories and for Sub-Category select myCustomCategory.

  4. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter
  3. Set the action for the myCustomCategory category in the LocalCategories group to Monitor.

  4. The other actions can be left as they were at the end of example 2, Custom-Remote-FGD set to Allow and Freeware and Software Download set to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:
  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the local category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=17:17:00 eventtime=1663805820486294353 tz="-0700" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=2 sessionid=893147 srcip=192.168.2.8 srcport=50417 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="passthrough" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=142 catdesc="myCustomCategory"