Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit a web filter profile

Create or edit a web filter profile

Click Create New to open the Create Web Filter Profile window.

Select a web filter profile and then click Edit to open the Edit Web Filter Profile window.

Configure the following settings in the Create Web Filter Profile window and then click OK:

Name

The name of the web filter profile.

Comments

Optional description of the web filter profile.

Log all URLs

Enable if you want all URLs to be logged.

FortiGuard category based filter

Enable to use FortiGuard categories. If the device is not licensed for the FortiGuard web-filtering service, traffic can be blocked by enabling this option.

Risk Level Settings

Define the web filtering behavior for different risk levels (see Web Filter Risk Level). You can configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

Allow/Monitor/Block/Warning/Authentication

Select the action for each FortiGuard category: Allow, Monitor, Block, Warning, or Authenticate. You can enter a category to search for.

Allow users to override blocked categories

Enable this option if you want users to be able to override blocked categories.

Groups that can override

Select the user groups that will be able to override blocked categories.

This option is available only if Allow users to override blocked categories is enabled.

Profile Name

Select which web filter profile to change blocked categories to.

This option is available only if Allow users to override blocked categories is enabled.

Switch applies to

Select whether the new web filter profile applies to a User, User Groups, or IP or whether to Ask. The user or user groups must be specified as the Source in firewall policies using this profile.

This option is available only if Allow users to override blocked categories is enabled.

Switch Duration

Select whether blocked categories can be overridden for a predefined period or to Ask.

This option is available only if Allow users to override blocked categories is enabled.

day(s)/hour(s)/minute(s)

Select how long users can override blocked categories.

This option is available only if Allow users to override blocked categories is enabled and the Switch Duration is set to Predefined.

Static URL Filter

Block invalid URLs

Enable to block web sites when their SSL certificate CN field does not contain a valid domain name.

URL Filter

Enable and then create or edit a URL filter. See Create or edit a URL filter.

Block malicious URLs discovered by FortiSandbox

Enable to block malicious URLs discovered by FortiSandbox.

Content Filter

Enable and then create or edit a content filter to block access to web pages that include the specified patterns. See Create or edit a content filter.

Rating Options

Allow websites when a rating error occurs

Enable to allow access to web pages that return a rating error from the web filter service.

If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

Rate URLs by domain and IP Address

Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This difference can sometimes cause the unit to allow access to sites that should be blocked or to block sites that should be allowed.

Proxy Options

HTTP POST Action

Select whether to Allow or Block HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

Remove Cookies

Enable to filter cookies from web traffic. Web sites using cookies might not function properly with this enabled.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.

Using FortiGuard web filter categories to block child sexual abuse and terrorism

Web filter categories 83 (Child Sexual Abuse, formerly Child Abuse) and 96 (Terrorism) can be used to enforce blocking and logging the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral Unit (CTIRU) lists, respectively.

To create a web filter profile to block the Child Sexual Abuse and Terrorism categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Enter a name for the new filter.

  3. Enable FortiGuard Category Based Filter.

  4. In the category table, in the Potentially Liable section, set the Action for the Child Sexual Abuse and Terrorism categories to Block.

  5. Configure the remaining settings as required.

  6. Click OK.

To create a web filter profile to block category 83 (Child Sexual Abuse) in the CLI:
config webfilter profile
    edit newfilter
        config ftgd-wf
            unset options
            config filters
                ...
                edit 83
                    set category 83
                    set action block
                next
                ...
            end
        end
    next
end
To test the web filter:
  1. Use the web filter profile in a policy.

  2. On a device that is connected through the FortiProxy unit and that uses the policy, visit the test URLs for each category:

    http://wfurltest.fortiguard.com/wftest/83.html

    http://wfurltest.fortiguard.com/wftest/96.html

  3. Log in to the FortiProxy unit and go to Log & Report > Web filter to view the logs for the blocked websites.

Configuring user-name-only credential matching

To configure user-name-only credential matching:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

Configuring different custom pattern types for user names and passwords

To configure different custom pattern types for user names and passwords:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

Using image-analyzer to categorize images with unknown FortiGuard categories

The image-analyzer (IA) engine can be used to categorize images that had unknown categories from the FortiGuard web filter. The results of an IA scan are cached for twelve hours.

When a URL filter request is received, if the request's URL is in the cache then the cached result is returned. When an image response is received that has an unknown category and IA categorization is enabled, the image is sent to the IA engine for results. The IA engine results are added to the shared memory IA cache.

To enable image-analyzer categorization:
config webfilter profile
    edit <name>
        set ia-categorization enable
    next
end

Create or edit a web filter profile

Create or edit a web filter profile

Click Create New to open the Create Web Filter Profile window.

Select a web filter profile and then click Edit to open the Edit Web Filter Profile window.

Configure the following settings in the Create Web Filter Profile window and then click OK:

Name

The name of the web filter profile.

Comments

Optional description of the web filter profile.

Log all URLs

Enable if you want all URLs to be logged.

FortiGuard category based filter

Enable to use FortiGuard categories. If the device is not licensed for the FortiGuard web-filtering service, traffic can be blocked by enabling this option.

Risk Level Settings

Define the web filtering behavior for different risk levels (see Web Filter Risk Level). You can configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

Allow/Monitor/Block/Warning/Authentication

Select the action for each FortiGuard category: Allow, Monitor, Block, Warning, or Authenticate. You can enter a category to search for.

Allow users to override blocked categories

Enable this option if you want users to be able to override blocked categories.

Groups that can override

Select the user groups that will be able to override blocked categories.

This option is available only if Allow users to override blocked categories is enabled.

Profile Name

Select which web filter profile to change blocked categories to.

This option is available only if Allow users to override blocked categories is enabled.

Switch applies to

Select whether the new web filter profile applies to a User, User Groups, or IP or whether to Ask. The user or user groups must be specified as the Source in firewall policies using this profile.

This option is available only if Allow users to override blocked categories is enabled.

Switch Duration

Select whether blocked categories can be overridden for a predefined period or to Ask.

This option is available only if Allow users to override blocked categories is enabled.

day(s)/hour(s)/minute(s)

Select how long users can override blocked categories.

This option is available only if Allow users to override blocked categories is enabled and the Switch Duration is set to Predefined.

Static URL Filter

Block invalid URLs

Enable to block web sites when their SSL certificate CN field does not contain a valid domain name.

URL Filter

Enable and then create or edit a URL filter. See Create or edit a URL filter.

Block malicious URLs discovered by FortiSandbox

Enable to block malicious URLs discovered by FortiSandbox.

Content Filter

Enable and then create or edit a content filter to block access to web pages that include the specified patterns. See Create or edit a content filter.

Rating Options

Allow websites when a rating error occurs

Enable to allow access to web pages that return a rating error from the web filter service.

If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

Rate URLs by domain and IP Address

Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This difference can sometimes cause the unit to allow access to sites that should be blocked or to block sites that should be allowed.

Proxy Options

HTTP POST Action

Select whether to Allow or Block HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

Remove Cookies

Enable to filter cookies from web traffic. Web sites using cookies might not function properly with this enabled.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.

Using FortiGuard web filter categories to block child sexual abuse and terrorism

Web filter categories 83 (Child Sexual Abuse, formerly Child Abuse) and 96 (Terrorism) can be used to enforce blocking and logging the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral Unit (CTIRU) lists, respectively.

To create a web filter profile to block the Child Sexual Abuse and Terrorism categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Enter a name for the new filter.

  3. Enable FortiGuard Category Based Filter.

  4. In the category table, in the Potentially Liable section, set the Action for the Child Sexual Abuse and Terrorism categories to Block.

  5. Configure the remaining settings as required.

  6. Click OK.

To create a web filter profile to block category 83 (Child Sexual Abuse) in the CLI:
config webfilter profile
    edit newfilter
        config ftgd-wf
            unset options
            config filters
                ...
                edit 83
                    set category 83
                    set action block
                next
                ...
            end
        end
    next
end
To test the web filter:
  1. Use the web filter profile in a policy.

  2. On a device that is connected through the FortiProxy unit and that uses the policy, visit the test URLs for each category:

    http://wfurltest.fortiguard.com/wftest/83.html

    http://wfurltest.fortiguard.com/wftest/96.html

  3. Log in to the FortiProxy unit and go to Log & Report > Web filter to view the logs for the blocked websites.

Configuring user-name-only credential matching

To configure user-name-only credential matching:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            set check-username-only enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

Configuring different custom pattern types for user names and passwords

To configure different custom pattern types for user names and passwords:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            ...
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            config custom-patterns
                edit "qwer"
                    set type literal
                next
                edit "[0-6]Dat*"
                next
                edit "dauw9"
                    set category password
                    set type literal
                next
                edit "[0-5]foo[1-4]"
                    set category password
                next
            end
            set domain-controller "win2016"
        end
        set log-all-url enable
    next
end

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the default regex type.

Using image-analyzer to categorize images with unknown FortiGuard categories

The image-analyzer (IA) engine can be used to categorize images that had unknown categories from the FortiGuard web filter. The results of an IA scan are cached for twelve hours.

When a URL filter request is received, if the request's URL is in the cache then the cached result is returned. When an image response is received that has an unknown category and IA categorization is enabled, the image is sent to the IA engine for results. The IA engine results are added to the shared memory IA cache.

To enable image-analyzer categorization:
config webfilter profile
    edit <name>
        set ia-categorization enable
    next
end