Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Category override examples

Category override examples

This topic includes examples that overrides the original FortiGuard category:

Example 1: Override a FortiGuard category with another FortiGuard category

In this example, play.google.com is overridden from its original category, Freeware and Software Download (19), to the Advertising category (17). In the web filter profile, the Advertising category is set to Block and the Freeware and Software Download category is set to Allow.

To configure a FortiGuard web rating override:

  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL: play.google.com.

  3. Optionally, click Lookup rating to see what its current rating is.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the Advertising category in the General Interest - Personal group to Block.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Allow.

  5. Configure the remaining settings required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be blocked by the category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=16:43:31 eventtime=1663803811966781540 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=891040 srcip=192.168.2.8 srcport=50318 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="blocked" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=17 catdesc="Advertising"

Example 2: Override a FortiGuard category with a remote category

In this example, play.google.com is added to an external URL category list and applied to a threat feed. In the web filter profile, the remote category is set to Allow, and the original FortiGuard category (Freeware and Software Download) is set to Block. Remote categories take precedence over FortiGuard categories, so the override action for the remote category will apply.

Delete the web rating override entry from example 1 for play.google.com before configuring this example.

To configure a FortiGuard threat feed for remote category override:

  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Enter a name for the threat feed, such as Custom-Remote-FGD. This will be the name of the remote category.

  4. Enter the URL of external resource that contains the list of URLs that will be overridden to this remote category. This list will contain one entry for play.google.com.

  5. Configure the remaining settings as needed, then click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the Custom-Remote-FGD category in the Remote Categories group to Allow.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the remote category override.

  2. No logs are recorded because the Allow action is selected.

Example 3: Override a FortiGuard category with a custom local category

In this example, play.google.com is added to a custom local category. that is set to Monitor in the web filter profile. Local custom categories take precedence over both remote and FortiGuard categories, so the override action for the local category will apply.

To create a custom local category override:

  1. Go to Security Profiles > Web Rating Overrides.

  2. Click Custom Categories, then click Create New.

  3. Enter a name for the category, such as myCustomCategory, and ensure the Status is set to Enable.

  4. Click OK.

To create a web rating override for the custom local category:

  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. For Category, select Custom Categories and for Sub-Category select myCustomCategory.

  4. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the myCustomCategory category in the LocalCategories group to Monitor.

  4. The other actions can be left as they were at the end of example 2, Custom-Remote-FGD set to Allow and Freeware and Software Download set to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the local category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=17:17:00 eventtime=1663805820486294353 tz="-0700" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=2 sessionid=893147 srcip=192.168.2.8 srcport=50417 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="passthrough" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=142 catdesc="myCustomCategory"
Previous
Next

Category override examples

This topic includes examples that overrides the original FortiGuard category:

Example 1: Override a FortiGuard category with another FortiGuard category

In this example, play.google.com is overridden from its original category, Freeware and Software Download (19), to the Advertising category (17). In the web filter profile, the Advertising category is set to Block and the Freeware and Software Download category is set to Allow.

To configure a FortiGuard web rating override:

  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL: play.google.com.

  3. Optionally, click Lookup rating to see what its current rating is.

  4. Set the Category and Sub-Category to an existing category that is different from the original category.

  5. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the Advertising category in the General Interest - Personal group to Block.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Allow.

  5. Configure the remaining settings required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be blocked by the category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=16:43:31 eventtime=1663803811966781540 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=2 sessionid=891040 srcip=192.168.2.8 srcport=50318 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="blocked" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=17 catdesc="Advertising"

Example 2: Override a FortiGuard category with a remote category

In this example, play.google.com is added to an external URL category list and applied to a threat feed. In the web filter profile, the remote category is set to Allow, and the original FortiGuard category (Freeware and Software Download) is set to Block. Remote categories take precedence over FortiGuard categories, so the override action for the remote category will apply.

Delete the web rating override entry from example 1 for play.google.com before configuring this example.

To configure a FortiGuard threat feed for remote category override:

  1. Go to Security Fabric > External Connectors and click Create New.

  2. In the Threat Feeds section, click FortiGuard Category.

  3. Enter a name for the threat feed, such as Custom-Remote-FGD. This will be the name of the remote category.

  4. Enter the URL of external resource that contains the list of URLs that will be overridden to this remote category. This list will contain one entry for play.google.com.

  5. Configure the remaining settings as needed, then click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the Custom-Remote-FGD category in the Remote Categories group to Allow.

  4. Set the action for the Freeware and Software Download category in the Bandwidth Consuming group to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the remote category override.

  2. No logs are recorded because the Allow action is selected.

Example 3: Override a FortiGuard category with a custom local category

In this example, play.google.com is added to a custom local category. that is set to Monitor in the web filter profile. Local custom categories take precedence over both remote and FortiGuard categories, so the override action for the local category will apply.

To create a custom local category override:

  1. Go to Security Profiles > Web Rating Overrides.

  2. Click Custom Categories, then click Create New.

  3. Enter a name for the category, such as myCustomCategory, and ensure the Status is set to Enable.

  4. Click OK.

To create a web rating override for the custom local category:

  1. Go to Security Profiles > Web Rating Overrides and click Create New.

  2. Enter the URL to override.

  3. For Category, select Custom Categories and for Sub-Category select myCustomCategory.

  4. Click OK.

To apply the category in a web filter profile:
  1. Go to Security Profiles > Web Filter and create or edit a web filter profile. See FortiGuard filter for more information.
  2. Enable FortiGuard category based filter.

  3. Set the action for the myCustomCategory category in the LocalCategories group to Monitor.

  4. The other actions can be left as they were at the end of example 2, Custom-Remote-FGD set to Allow and Freeware and Software Download set to Block.

  5. Configure the remaining settings are required, then click OK.
To apply the category in firewall policy:

  1. Go to Policy & Objects > Firewall Policy and create or edit a policy.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable Web Filter and select the profile that you just created.

  4. Set SSL Inspection to certificate-inspection or deep-inspection.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To test the filter:

  1. From a Workstation behind the firewall, open a browser and browse to play.google.com. The page will be allowed by the local category override.

  2. Go to Log & Report > Security Events and select Web Filter.

  3. View the log details in the GUI, or download the log file:

    date=2022-09-21 time=17:17:00 eventtime=1663805820486294353 tz="-0700" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=2 sessionid=893147 srcip=192.168.2.8 srcport=50417 srcintf="port2" srcintfrole="undefined" dstip=142.251.211.238 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="play.google.com" profile="FGD-Override-FGD-Flow" action="passthrough" reqtype="direct" url="https://play.google.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=142 catdesc="myCustomCategory"
Previous
Next