Fortinet white logo
Fortinet white logo

Administration Guide

Configuring a web filter profile

Configuring a web filter profile

Web filtering restricts or controls user access to web resources and can be applied to firewall policies using either policy-based or profile-based NGFW mode.

Note

The feature set setting (proxy or flow) in the web filter profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based web filter profile must be used with a flow-based firewall policy.

An SSL inspection profile (such as the certificate-inspection profile) and a web filter profile must both be selected in the associated firewall policy. See SSL & SSH Inspection.

Some web filter profile options can only be configured in the CLI. See Advanced CLI configuration and the FortiOS CLI Reference for more information.

To configure a web filter profile:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Configure the following settings:

    Name

    Enter a unique name for the profile.

    Comments

    (Optional) Enter a comment.

    Feature set

    Select the feature set for the profile. The feature set mode must match the inspection mode used in the associated firewall policy.

    • Flow-based

    • Proxy-based

    Additional options are available in proxy-based mode and are identified in the GUI with a P icon. See Inspection mode feature comparison.

    If the Feature set option is not visible, enter the following in the CLI:

    config system settings
        set gui-proxy-inspection enable
    end

    FortiGuard Category Based Filter

    Enable to use the category-based filters from FortiGuard. A default action is assigned to each category, and you can change the action. See FortiGuard filter.

    Category Usage Quota

    This option is available in proxy-based mode and can be applied to categories set to Monitor, Warning, and Authenticate. See Category usage quota.

    Allow users to override blocked categories

    Enable to allow certain users or user groups to override websites blocked by web filtering profiles for a specified length of time. See Web profile override.

    Groups that can override

    Select one or more user groups that can override blocked websites. The user group must be specified as the Source in the firewall policies using this profile.

    Profile Name

    Select what web filter profiles can be overridden.

    Switch applies to

    Specify whether the override applies to a User, User Group, or IP address. Alternately select Ask to prompt the user to log in to access the web page.

    Switch duration

    Select Predefined to specify how many days, hours, and minutes to allow the override. Select Ask to prompt the user to specify how long to allow the override.

    Search Engines

    Enfore 'Safe Search' on Google, Yahoo!, Bing, Yandex

    Enable to prevent explicit websites and images from appearing in search results. See Safe search.

    Restrict YouTube Access

    Enable to filter out potentially mature videos. See Restrict Google account usage to specific domains.

    Log all search keywords

    This option is available in proxy-based mode. Enable to log all search phrases. See Log all search keywords.

    Static URL Filter

    Block invalid URLs

    Enable to block websites when their SSL certificate CN field lacks a valid domain name. See Block invalid URLs.

    URL Filter

    Enable to specify URL patterns and an action for FortiGate to take when matching URL patterns are found in traffic. See URL filter.

    Block malicious URLs discovered by FortiSandbox

    Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be connected to a registered FortiSandbox. See Block malicious URLs discovered by FortiSandbox.

    Content Filter

    Enable to specify word or patterns to be used to identify and control access to web pages. See Web content filter.

    Rating Options

    Allow websites when a rating error occurs

    Enable to allow access to websites that return a rating error from the FortiGuard Web Filter service. See Allow websites when a rating error occurs.

    Rate URLs by domain and IP address

    Enable for FortiGate to always send both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for rating. See Rate URLs by domain and IP address.

    Proxy Options

    Restrict Google account usage to specific domains

    This option is available in proxy-based mode. Enable to block access to certain Google accounts and services. See Restrict Google account usage to specific domains.

    HTTP POST Action

    Enable to specify how to handle HTTP POST traffic. See HTTP POST action.

    Remove Java Applets

    This option is available in proxy-based mode. Enable to remove Java applets from web traffic. See Remove Java applets, ActiveX, and cookies.

    Remove ActiveX

    This option is available in proxy-based mode. Enable to remove ActiveX from web traffic. See Remove Java applets, ActiveX, and cookies.

    Remove Cookies

    Enable to remove cookies from web traffic. See Remove Java applets, ActiveX, and cookies.
  3. Click OK.

Configuring a web filter profile

Configuring a web filter profile

Web filtering restricts or controls user access to web resources and can be applied to firewall policies using either policy-based or profile-based NGFW mode.

Note

The feature set setting (proxy or flow) in the web filter profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based web filter profile must be used with a flow-based firewall policy.

An SSL inspection profile (such as the certificate-inspection profile) and a web filter profile must both be selected in the associated firewall policy. See SSL & SSH Inspection.

Some web filter profile options can only be configured in the CLI. See Advanced CLI configuration and the FortiOS CLI Reference for more information.

To configure a web filter profile:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Configure the following settings:

    Name

    Enter a unique name for the profile.

    Comments

    (Optional) Enter a comment.

    Feature set

    Select the feature set for the profile. The feature set mode must match the inspection mode used in the associated firewall policy.

    • Flow-based

    • Proxy-based

    Additional options are available in proxy-based mode and are identified in the GUI with a P icon. See Inspection mode feature comparison.

    If the Feature set option is not visible, enter the following in the CLI:

    config system settings
        set gui-proxy-inspection enable
    end

    FortiGuard Category Based Filter

    Enable to use the category-based filters from FortiGuard. A default action is assigned to each category, and you can change the action. See FortiGuard filter.

    Category Usage Quota

    This option is available in proxy-based mode and can be applied to categories set to Monitor, Warning, and Authenticate. See Category usage quota.

    Allow users to override blocked categories

    Enable to allow certain users or user groups to override websites blocked by web filtering profiles for a specified length of time. See Web profile override.

    Groups that can override

    Select one or more user groups that can override blocked websites. The user group must be specified as the Source in the firewall policies using this profile.

    Profile Name

    Select what web filter profiles can be overridden.

    Switch applies to

    Specify whether the override applies to a User, User Group, or IP address. Alternately select Ask to prompt the user to log in to access the web page.

    Switch duration

    Select Predefined to specify how many days, hours, and minutes to allow the override. Select Ask to prompt the user to specify how long to allow the override.

    Search Engines

    Enfore 'Safe Search' on Google, Yahoo!, Bing, Yandex

    Enable to prevent explicit websites and images from appearing in search results. See Safe search.

    Restrict YouTube Access

    Enable to filter out potentially mature videos. See Restrict Google account usage to specific domains.

    Log all search keywords

    This option is available in proxy-based mode. Enable to log all search phrases. See Log all search keywords.

    Static URL Filter

    Block invalid URLs

    Enable to block websites when their SSL certificate CN field lacks a valid domain name. See Block invalid URLs.

    URL Filter

    Enable to specify URL patterns and an action for FortiGate to take when matching URL patterns are found in traffic. See URL filter.

    Block malicious URLs discovered by FortiSandbox

    Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be connected to a registered FortiSandbox. See Block malicious URLs discovered by FortiSandbox.

    Content Filter

    Enable to specify word or patterns to be used to identify and control access to web pages. See Web content filter.

    Rating Options

    Allow websites when a rating error occurs

    Enable to allow access to websites that return a rating error from the FortiGuard Web Filter service. See Allow websites when a rating error occurs.

    Rate URLs by domain and IP address

    Enable for FortiGate to always send both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for rating. See Rate URLs by domain and IP address.

    Proxy Options

    Restrict Google account usage to specific domains

    This option is available in proxy-based mode. Enable to block access to certain Google accounts and services. See Restrict Google account usage to specific domains.

    HTTP POST Action

    Enable to specify how to handle HTTP POST traffic. See HTTP POST action.

    Remove Java Applets

    This option is available in proxy-based mode. Enable to remove Java applets from web traffic. See Remove Java applets, ActiveX, and cookies.

    Remove ActiveX

    This option is available in proxy-based mode. Enable to remove ActiveX from web traffic. See Remove Java applets, ActiveX, and cookies.

    Remove Cookies

    Enable to remove cookies from web traffic. See Remove Java applets, ActiveX, and cookies.
  3. Click OK.