FortiGuard filter
The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.
The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.
To use this service, you must have a valid FortiGuard license.
The following actions are available:
FortiGuard web filter action |
Description |
---|---|
Allow |
Permit access to the sites in the category. |
Monitor |
Permit and log access to sites in the category. User quotas can be enabled for this option (see Usage quota). |
Block |
Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked. |
Warning |
Display a message to the user allowing them to continue if they choose. |
Authenticate |
Require the user to authenticate with the FortiGate before allowing access to the category or category group. |
Disable |
Remove the category from the from the web filter profile. This option is only available for local or remote categories from the right-click menu. |
FortiGuard web filter categories
FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:
FortiGuard web filter category |
Where to find more information |
---|---|
All URL categories |
|
Local categories |
See Web rating override. |
Remote category |
See Threat feeds. |
The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.
Blocking a web category
The following example shows how to block a website based on its category. The Information Technology category (category 52) will be blocked.
To block a category in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Block.
-
Configure the remaining settings as needed.
-
Click OK.
To block a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action block next end end next end
You can use the |
To verify that the category is blocked:
-
Go to a website that belongs to the blocked category, such as www.fortinet.com.
The page should be blocked and display a replacement message.
To view the log of a blocked website in the GUI:
-
Go to Log & Report > Security Events.
-
Click the Web Filter card name.
-
Select an entry with blocked in the Action column and click Details.
-
To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter # execute log display 4: date=2023-08-08 time=13:25:31 eventtime=1691526331836645153 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="4a4b9d00-e471-51ed-71ec-c1a3bc8f773c" policytype="policy" sessionid=254529 srcip=1.1.1.2 srcport=60836 srccountry="Australia" srcintf="internal7" srcintfrole="lan" srcuuid="45eec070-e471-51ed-4b1c-930f37c5d882" dstip=44.240.173.227 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="45eec070-e471-51ed-4b1c-930f37c5d882" proto=6 service="HTTPS" hostname="www.fortinet.com" profile="default" action="blocked" reqtype="direct" url="https://www.fortinet.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"
Allowing users to override blocked categories
There is an option to allow users with valid credentials to override blocked categories.
To allow users to override blocked categories in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
Enable Allow users to override blocked categories.
-
Enter information in the following fields:
Groups that can override
Add the user group that will be allowed to override.
Profile Name
Add the web filter profile the overridden group will use. This cannot be the same profile as its own.
Switch applies to
Select User, User Groups, IP, or Ask.
Switch Duration
Select either Predefined to specify a duration, or Ask for user input.
-
Configure the other settings as needed.
-
Click OK.
To allow users to override blocked categories in the CLI:
config webfilter profile edit "webfilter" set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override config override set ovrd-user-group "radius_group" set profile "webfilter" end config ftgd-wf unset options end next end
Issuing a warning on a web category
The following example shows how to issue a warning when a user visits a website in a specific category (Information Technology, category 52).
To configure a warning for a category in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Warning.
-
Set the Warning Interval, then click OK.
The warning interval is the amount of time until the warning appears again after the user proceeds past it.
-
Configure the remaining settings as needed.
-
Click OK.
To configure a warning for a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action warning next end end next end
To verify that the warning works:
-
Go to a website that belongs to the category, such as www.fortinet.com.
-
On the warning page, click Proceed or Go Back.
Authenticating a web category
The following example shows how to authenticate a website based on its category (Information Technology, category 52).
To authenticate a category in the GUI:
-
Go to Security Profiles > Web Filter and edit or create a new web filter profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Authenticate.
-
Set the Warning Interval and select one or more user groups, then click OK.
-
Configure the remaining settings as needed.
-
Click OK.
To authenticate a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action authenticate set auth-usr-grp "local_group" next end end next end
To verify that you have configured authentication:
-
Go to a website that belongs to the category, such as www.fortinet.com.
-
On the warning page, click Proceed.
-
Enter the username and password for the configured user group, then click Continue.
Customizing the replacement message page
When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.
To customize the replacement message page:
-
Go to Security Profiles > Web Filter and edit or create a new web filter profile.
-
In the FortiGuard category based filter section, right-click on a category and select Customize.
-
Select a Replacement Message Group. See Replacement message groups for details.
-
Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.
-
Click Save.
-
Configure the remaining settings as needed.
-
Click OK.
Customizing the CA certificate
When accessing a HTTPS webpage, in order to intercept the connection and perform an override, warning, or authentication, the connection must be proxied and the warning and/or authentication page must be signed with FortiGate’s CA certificate. The client accessing the page must trust the CA in order to avoid certificate errors while browsing.
When applying the web filter profile to a firewall policy, an SSL inspection profile must also be selected. |
To apply a custom certificate to the SSL inspection profile in the GUI:
-
Go to Security Profiles > SSL/SSH Inspection and click Create New, or edit an existing profile.
-
Under SSL Inspection Options, set CA certificate to the desired custom CA certificate.
-
Click OK.
-
On the client endpoints, ensure this custom CA is trusted.
To apply a custom certificate to the SSL inspection profile in the CLI:
config firewall ssl-ssh-profile edit <name> set caname <custom_CA_certificate> next end