Fortinet black logo

Administration Guide

Advanced filters 1

Advanced filters 1

This topic gives examples of the following advanced filter features:

Block malicious URLs discovered by FortiSandbox

This setting blocks malicious URLs that FortiSandbox finds. Your FortiGate must be connected to a registered FortiSandbox.

For information on configuring FortiSandbox, see Using FortiSandbox post-transfer scanning with antivirus and Using FortiSandbox inline scanning with antivirus.

To block malicious URLs discovered by FortiSandbox in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Block malicious URLs discovered by FortiSandbox.

  3. Click OK.

To block malicious URLs discovered by FortiSandbox in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set blocklist enable
        end
    next
end

Allow websites when a rating error occurs

If you do not have a FortiGuard license, but you have enabled services that need a FortiGuard license (such as FortiGuard filter), then you will get a rating error message.

Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

To allow websites with rating errors in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Rating Options section, enable Allow websites when a rating error occurs.

  3. Click OK.

To allow websites with rating errors in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options error-allow
        end
    next
end

Rate URLs by domain and IP address

If you enable this setting, in addition to only sending domain information to FortiGuard for rating, the FortiGate always sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for the rating.

The FortiGuard server might return a different category of IP address and URL domain. If they are different, the FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiOS.

For example, if we use a spoof IP of Google as www.irs.gov, the FortiGate will send both the IP address and domain name to FortiGuard to get the rating. We get two different ratings: one is the search engine and portals that belong to the Google IP, the second is the government and legal organizations that belongs to www.irs.gov. Because the search engine and portals rating has a higher weight than government and legal organizations, the traffic is rated as search engine and portals.

To rate URLs by domain and IP address in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Rating Options section, enable Rate URLs by domain and IP address.

  3. Click OK.

To rate URLs by domain and IP address in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options rate-server-ip
        end
    next
end

Block invalid URLs

Use this setting to block websites when their SSL certificate CN field does not contain a valid domain name.

This option also blocks URLs that contains spaces. If there is a space in the URL, it must be written as %20 in the URL path.

To block invalid URLs in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Block invalid URLs .

  3. Click OK.

To block invalid URLs in the CLI:
config webfilter profile
    edit "webfilter"
        set options block-invalid-url
    next
end

Advanced filters 1

This topic gives examples of the following advanced filter features:

Block malicious URLs discovered by FortiSandbox

This setting blocks malicious URLs that FortiSandbox finds. Your FortiGate must be connected to a registered FortiSandbox.

For information on configuring FortiSandbox, see Using FortiSandbox post-transfer scanning with antivirus and Using FortiSandbox inline scanning with antivirus.

To block malicious URLs discovered by FortiSandbox in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Block malicious URLs discovered by FortiSandbox.

  3. Click OK.

To block malicious URLs discovered by FortiSandbox in the CLI:
config webfilter profile
    edit "webfilter"
        config web
            set blocklist enable
        end
    next
end

Allow websites when a rating error occurs

If you do not have a FortiGuard license, but you have enabled services that need a FortiGuard license (such as FortiGuard filter), then you will get a rating error message.

Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

To allow websites with rating errors in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Rating Options section, enable Allow websites when a rating error occurs.

  3. Click OK.

To allow websites with rating errors in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options error-allow
        end
    next
end

Rate URLs by domain and IP address

If you enable this setting, in addition to only sending domain information to FortiGuard for rating, the FortiGate always sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for the rating.

The FortiGuard server might return a different category of IP address and URL domain. If they are different, the FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiOS.

For example, if we use a spoof IP of Google as www.irs.gov, the FortiGate will send both the IP address and domain name to FortiGuard to get the rating. We get two different ratings: one is the search engine and portals that belong to the Google IP, the second is the government and legal organizations that belongs to www.irs.gov. Because the search engine and portals rating has a higher weight than government and legal organizations, the traffic is rated as search engine and portals.

To rate URLs by domain and IP address in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Rating Options section, enable Rate URLs by domain and IP address.

  3. Click OK.

To rate URLs by domain and IP address in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            set options rate-server-ip
        end
    next
end

Block invalid URLs

Use this setting to block websites when their SSL certificate CN field does not contain a valid domain name.

This option also blocks URLs that contains spaces. If there is a space in the URL, it must be written as %20 in the URL path.

To block invalid URLs in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Block invalid URLs .

  3. Click OK.

To block invalid URLs in the CLI:
config webfilter profile
    edit "webfilter"
        set options block-invalid-url
    next
end