Create or edit a web filter profile
Click Create New to open the Create Web Filter Profile window.
Select a web filter profile and then click Edit to open the Edit Web Filter Profile window.
Configure the following settings in the Create Web Filter Profile window and then click OK:
Name |
The name of the web filter profile. |
Comments |
Optional description of the web filter profile. |
Log all URLs |
Enable if you want all URLs to be logged. |
FortiGuard category based filter |
Enable to use FortiGuard categories. If the device is not licensed for the FortiGuard web-filtering service, traffic can be blocked by enabling this option. |
Risk Level Settings |
Define the web filtering behavior for different risk levels (see Web Filter Risk Level). You can configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity. |
Allow/Monitor/Block/Warning/Authentication |
Select the action for each FortiGuard category: Allow, Monitor, Block, Warning, or Authenticate. You can enter a category to search for. |
Allow users to override blocked categories |
Enable this option if you want users to be able to override blocked categories. |
Groups that can override |
Select the user groups that will be able to override blocked categories. This option is available only if Allow users to override blocked categories is enabled. |
Profile Name |
Select which web filter profile to change blocked categories to. This option is available only if Allow users to override blocked categories is enabled. |
Switch applies to |
Select whether the new web filter profile applies to a User, User Groups, or IP or whether to Ask. The user or user groups must be specified as the Source in firewall policies using this profile. This option is available only if Allow users to override blocked categories is enabled. |
Switch Duration |
Select whether blocked categories can be overridden for a predefined period or to Ask. This option is available only if Allow users to override blocked categories is enabled. |
day(s)/hour(s)/minute(s) |
Select how long users can override blocked categories. This option is available only if Allow users to override blocked categories is enabled and the Switch Duration is set to Predefined. |
Static URL Filter |
|
Block invalid URLs |
Enable to block web sites when their SSL certificate CN field does not contain a valid domain name. |
URL Filter |
Enable and then create or edit a URL filter. See Create or edit a URL filter. |
Block malicious URLs discovered by FortiSandbox |
Enable to block malicious URLs discovered by FortiSandbox. |
Content Filter |
Enable and then create or edit a content filter to block access to web pages that include the specified patterns. See Create or edit a content filter. |
Rating Options |
|
Allow websites when a rating error occurs |
Enable to allow access to web pages that return a rating error from the web filter service. If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites. |
Rate URLs by domain and IP Address |
Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This difference can sometimes cause the unit to allow access to sites that should be blocked or to block sites that should be allowed. |
Proxy Options |
|
HTTP POST Action |
Select whether to Allow or Block HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server. |
Remove Cookies |
Enable to filter cookies from web traffic. Web sites using cookies might not function properly with this enabled. |
API Preview |
The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions. |
To use the API Preview:
- Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
- Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
- Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
- Click Close to leave the preview.
Using FortiGuard web filter categories to block child sexual abuse and terrorism
Web filter categories 83 (Child Sexual Abuse, formerly Child Abuse) and 96 (Terrorism) can be used to enforce blocking and logging the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral Unit (CTIRU) lists, respectively.
To create a web filter profile to block the Child Sexual Abuse and Terrorism categories in the GUI:
-
Go to Security Profiles > Web Filter and click Create New.
-
Enter a name for the new filter.
-
Enable FortiGuard Category Based Filter.
-
In the category table, in the Potentially Liable section, set the Action for the Child Sexual Abuse and Terrorism categories to Block.
-
Configure the remaining settings as required.
-
Click OK.
To create a web filter profile to block category 83 (Child Sexual Abuse) in the CLI:
config webfilter profile edit newfilter config ftgd-wf unset options config filters ... edit 83 set category 83 set action block next ... end end next end
To test the web filter:
-
Use the web filter profile in a policy.
-
On a device that is connected through the FortiProxy unit and that uses the policy, visit the test URLs for each category:
http://wfurltest.fortiguard.com/wftest/83.html
http://wfurltest.fortiguard.com/wftest/96.html
-
Log in to the FortiProxy unit and go to Log & Report > Web filter to view the logs for the blocked websites.
Configuring user-name-only credential matching
To configure user-name-only credential matching:
config webfilter profile edit "webfilter" config ftgd-wf unset options ... end config antiphish set status enable set check-username-only enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end set domain-controller "win2016" end set log-all-url enable next end
Configuring different custom pattern types for user names and passwords
To configure different custom pattern types for user names and passwords:
config webfilter profile edit "webfilter" config ftgd-wf unset options ... end config antiphish set status enable config inspection-entries edit "cat34" set fortiguard-category 34 set action block next end config custom-patterns edit "qwer" set type literal next edit "[0-6]Dat*" next edit "dauw9" set category password set type literal next edit "[0-5]foo[1-4]" set category password next end set domain-controller "win2016" end set log-all-url enable next end
In this example, the qwer
and dauw9
entries use the literal type, while [0-6]Dat*
and [0-5]foo[1-4]
use the default regex type.
Using image-analyzer to categorize images with unknown FortiGuard categories
The image-analyzer (IA) engine can be used to categorize images that had unknown categories from the FortiGuard web filter. The results of an IA scan are cached for twelve hours.
When a URL filter request is received, if the request's URL is in the cache then the cached result is returned. When an image response is received that has an unknown category and IA categorization is enabled, the image is sent to the IA engine for results. The IA engine results are added to the shared memory IA cache.
To enable image-analyzer categorization:
config webfilter profile edit <name> set ia-categorization enable next end