URL filter
The URL filter uses specific URLs with patterns containing text and regular expressions so the FortiGate can process the traffic based on the filter action (exempt, block, allow, monitor) and web pages that match the criteria. Once a URL filter is configured, it can be applied to a firewall policy.
The following filter types are available:
URL filter type |
Description |
---|---|
Simple |
The FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won't match facebook.com or message.facebook.com. When the FortiGate finds a match, it performs the selected URL action. |
Regular expression/ wildcard |
The FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, and so on. When the FortiGate finds a match, it performs the selected URL action. |
For more information, see the URL Filter expressions technical tip in the Knowledge Base.
The following actions are available:
URL filter action |
Description |
---|---|
Exempt |
The traffic is allowed to bypass the remaining FortiGuard web filters, web content filters, web script filters, antivirus scanning, and DLP proxy operations. |
Block |
The FortiGate denies or blocks attempts to access any URL that matches the URL pattern. A replacement message is displayed. |
Allow |
The traffic is passed to the remaining FortiGuard web filters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted. |
Monitor |
The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established. |
The exempt URL filter action can be configured to bypass all or certain security profile operations. This setting can only be configured in the CLI.
If the action
is set to exempt
, use set exempt
to select the security profile operations that exempt URLs skip.
config webfilter urlfilter edit <id> config entries edit <id> set action exempt set exempt {av web-content activex-java-cookie dlp fortiguard range-block pass antiphish all} next end next end
Option |
Description |
---|---|
av |
Antivirus scanning |
web-content |
Web filter content matching |
activex-java-cookie |
ActiveX, Java, and cookie filtering |
dlp |
DLP scanning |
fortiguard |
FortiGuard web filtering |
range-block |
Range block feature |
pass |
Pass single connection from all |
antiphish |
Antiphish credential checking |
all |
Exempt from all security profiles |
These exempt options are not visible in the GUI. Setting the URL filter Action to Exempt will exempt URLs from all security profiles. |
In the following example, a URL filter will be created to block the facebook.com URL using a wildcard.
Configuring a URL filter in the GUI
To create a URL filter for Facebook:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
In the Static URL Filter section, enable URL Filter.
-
Click Create New. The New URL Filter pane opens.
-
For URL, enter *facebook.com, for Type, select Wildcard, and for Action, select Block.
-
Click OK. The entry appears in the table.
-
Configure the other settings as needed.
-
Click OK.
To apply the web filter profile to a firewall policy:
-
Go to Policy & Objects > Firewall Policy.
-
Edit a policy, or create a new one.
-
In the Security Profiles section, enable Web Filter and select the profile that you created.
-
Set SSL Inspection to certificate-inspection.
The no-inspection profile does not perform SSL inspection, so it should not be selected with other UTM profiles.
-
Configure the other settings as needed.
-
Click OK.
Configuring a URL filter in the CLI
To create a URL filter for Facebook:
config webfilter urlfilter edit 1 set name "webfilter" config entries edit 1 set url "*facebook.com" set type wildcard set action block next end next end
To apply the URL filter to a web filter profile:
config webfilter profile edit "webfilter" config web set urlfilter-table 1 end config ftgd-wf ... end next end
To apply the web filter profile to a firewall policy:
config firewall policy edit 1 set name "WF" set srcintf "wan2" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set logtraffic all set webfilter-profile "webfilter" set ssl-ssh-profile "certificate-inspection" set nat enable next end
Verifying the URL filter results
Verify the URL filter results by going to a blocked website. For example, when you go to the Facebook website, the replacement message appears:
To customize the URL web page blocked message:
-
Go to System > Replacement Messages.
-
In the HTTP section, select URL Block Page and click Edit.
-
Edit the HTML to customize the message. See Replacement messages for more information.
To check web filter logs in the GUI:
-
Go to Log & Report > Security Events.
-
Click the Web Filter card name.
-
If there are a lot of log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the URL filter.
To check web filter logs in the CLI:
# execute log filter category utm-webfilter # execute log display 2: date=2023-08-10 time=15:02:25 eventtime=1691704944982929658 tz="-0700" logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="root" urlfilteridx=1 urlfilterlist="webfilter" policyid=1 poluuid="4a4b9d00-e471-51ed-71ec-c1a3bc8f773c" policytype="policy" sessionid=4198 srcip=1.1.1.2 srcport=55044 srccountry="Australia" srcintf="internal7" srcintfrole="lan" srcuuid="45eec070-e471-51ed-4b1c-930f37c5d882" dstip=157.240.3.35 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="45eec070-e471-51ed-4b1c-930f37c5d882" proto=6 service="HTTPS" hostname="www.facebook.com" profile="webfilter" action="blocked" reqtype="direct" url="https://www.facebook.com/" sentbyte=812 rcvdbyte=0 direction="outgoing" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"