Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Advanced filters 2

This topic gives examples of the following advanced filter features:

Note

These advanced filters are only available in proxy-based inspection mode.

Safe search

This setting applies to popular search sites and prevents explicit websites and images from appearing in search results.

The supported search sites are:

  • Google
  • Yahoo
  • Bing
  • Yandex
To enable safe search in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

  3. Click OK.
To enable safe search in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set safe-search url header
        end
    next
end

YouTube education filters

Use these features to limit users' access to YouTube channels. For example, in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature let schools access educational videos on YouTube EDU and specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content, see Restrict YouTube content available to G Suite users. At this time, Google offers options to restrict inappropriate content for DNS, HTTP headers, and Chromebooks.

To enable restrict YouTube access in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Restrict YouTube Access and select Strict or Moderate.

  3. Click OK.
To restrict YouTube access in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set youtube-restrict {none | strict | moderate}
        end
    next
end

YouTube channel filtering

Use this setting to block or only allow matching YouTube channels.

The following identifiers are used:

given <channel-id>, affect on:

www.youtube.com/channel/<channel-id>

www.youtube.com/user/<user-id>

matches channel-id from <meta itemprop="channelId" content="<channel-id>">

www.youtube.com/watch?v=<string>

matches channel-id from <meta itemprop="channelId" content="<channel-id>">

To enable channel filtering in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, enable Restrict YouTube access to specific channels.

  3. Click Create New. The New YouTube Channel Filter pane opens.
  4. Enter the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.

  5. Click OK. The entry appears in the table with its link.

To enable channel filtering in the CLI:
config webfilter profile
   edit "webfilter"
      set youtube-channel-status whitelist
      config youtube-channel-filter
         edit 1
            set channel-id "UCGzuiiLdQZu9wxDNJHO_JnA"
         next
      end
   next
end

Log all search keywords

Use this setting to log all search phrases.

To enable logging search keywords in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Log all search keywords.

  3. Click OK.
To enable logging search keywords in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

Restrict Google account usage to specific domains

Use this setting to block access to certain Google accounts and services, while allowing access to accounts with domains in the exception list.

To enable Google account restriction:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, enable Restrict Google account usage to specific domains.

  3. Click the + and enter the domains that Google can access, such as www.fortinet.com.

  4. Click OK.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST action

Use this setting to select the action to take with HTTP POST traffic. HTTP POST is the command used by the browser when you send information, such as a completed form or a file you are uploading to a web server. The action options are allow or block. The default is allow.

To configure HTTP POST in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, for HTTP POST Action, select Allow or Block.

  3. Click OK.
To configure HTTP POST in the CLI:
config webfilter profile
    edit "webfilter"
        set post-action {normal | block}
        config ftgd-wf
            unset options
        end
    next
end

Remove Java applets, ActiveX, and cookies

Web filter profiles have settings to filter Java applets, ActiveX, and cookies from web traffic. Note that if these filters are enabled, websites using Java applets, ActiveX, and cookies might not function properly.

To enable these filters in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile. and go to the Proxy Options section.
  2. In the Proxy Options section, enabled the filters you want to use: Remove Java Applets, Remove ActiveX, or Remove Cookies.

To enable these filters in the CLI:
config webfilter profile
   edit "webfilter"
      set options {activexfilter cookiefilter javafilter} 
      config ftgd-wf
         unset options
      end
   next
end

Advanced filters 2

This topic gives examples of the following advanced filter features:

Note

These advanced filters are only available in proxy-based inspection mode.

Safe search

This setting applies to popular search sites and prevents explicit websites and images from appearing in search results.

The supported search sites are:

  • Google
  • Yahoo
  • Bing
  • Yandex
To enable safe search in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

  3. Click OK.
To enable safe search in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set safe-search url header
        end
    next
end

YouTube education filters

Use these features to limit users' access to YouTube channels. For example, in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature let schools access educational videos on YouTube EDU and specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content, see Restrict YouTube content available to G Suite users. At this time, Google offers options to restrict inappropriate content for DNS, HTTP headers, and Chromebooks.

To enable restrict YouTube access in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Restrict YouTube Access and select Strict or Moderate.

  3. Click OK.
To restrict YouTube access in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set youtube-restrict {none | strict | moderate}
        end
    next
end

YouTube channel filtering

Use this setting to block or only allow matching YouTube channels.

The following identifiers are used:

given <channel-id>, affect on:

www.youtube.com/channel/<channel-id>

www.youtube.com/user/<user-id>

matches channel-id from <meta itemprop="channelId" content="<channel-id>">

www.youtube.com/watch?v=<string>

matches channel-id from <meta itemprop="channelId" content="<channel-id>">

To enable channel filtering in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, enable Restrict YouTube access to specific channels.

  3. Click Create New. The New YouTube Channel Filter pane opens.
  4. Enter the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.

  5. Click OK. The entry appears in the table with its link.

To enable channel filtering in the CLI:
config webfilter profile
   edit "webfilter"
      set youtube-channel-status whitelist
      config youtube-channel-filter
         edit 1
            set channel-id "UCGzuiiLdQZu9wxDNJHO_JnA"
         next
      end
   next
end

Log all search keywords

Use this setting to log all search phrases.

To enable logging search keywords in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Search Engines section, enable Log all search keywords.

  3. Click OK.
To enable logging search keywords in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

Restrict Google account usage to specific domains

Use this setting to block access to certain Google accounts and services, while allowing access to accounts with domains in the exception list.

To enable Google account restriction:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, enable Restrict Google account usage to specific domains.

  3. Click the + and enter the domains that Google can access, such as www.fortinet.com.

  4. Click OK.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST action

Use this setting to select the action to take with HTTP POST traffic. HTTP POST is the command used by the browser when you send information, such as a completed form or a file you are uploading to a web server. The action options are allow or block. The default is allow.

To configure HTTP POST in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the Proxy Options section, for HTTP POST Action, select Allow or Block.

  3. Click OK.
To configure HTTP POST in the CLI:
config webfilter profile
    edit "webfilter"
        set post-action {normal | block}
        config ftgd-wf
            unset options
        end
    next
end

Remove Java applets, ActiveX, and cookies

Web filter profiles have settings to filter Java applets, ActiveX, and cookies from web traffic. Note that if these filters are enabled, websites using Java applets, ActiveX, and cookies might not function properly.

To enable these filters in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile. and go to the Proxy Options section.
  2. In the Proxy Options section, enabled the filters you want to use: Remove Java Applets, Remove ActiveX, or Remove Cookies.

To enable these filters in the CLI:
config webfilter profile
   edit "webfilter"
      set options {activexfilter cookiefilter javafilter} 
      config ftgd-wf
         unset options
      end
   next
end