Fortinet white logo
Fortinet white logo

Cookbook

FortiGuard filter

FortiGuard filter

To use this service, you must have a valid subscription on your FortiGate.

FortiGuard filter enhances the Web Filter features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories that users can allow or block.

FortiGuard Web Filter services includes over 45 million individual website rating that applies to more than two billion pages. When FortiGuard filter is enabled in a Web Filter and is applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard Web Filter action

You can select one of the following FortiGuard Web Filter actions:

FortiGuard Web Filter Action

Description

Allow

Permit access to the sites in the category.

Block

Prevent access to the sites in the category. Users trying to access a blocked site sees a replacement message indicating the site is blocked.

Monitor

Permits and logs access to sites in the category. You can enable user quotas when you enable this action.

Warning

Displays a message to the user allowing them to continue if they choose.

Authenticate

Requires the user to authenticate with the FortiGate before allowing access to the category or category group.

FortiGuard Web Filter categories

FortiGuard has many Web Filter categories including two local categories and a special remote category. For more information on the different categories, see the table below.

FortiGuard Web Filter category

Where to find more information

All URL categories

https://fortiguard.com/webfilter/categories.

Remote category

External resources for web filter.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of local category and not external or FortiGuard built-in category.

Sample configuration of blocking a web category

This example shows blocking a website based on its category (rating), for example, information technology.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Block.

To block a category in the CLI:
config webfilter profile
   edit "webfilter"
      config ftgd-wf
         unset options
         config filters
            edit 1
               set category 52    <-- the pre-set id of "information technology" caterogy
               set action block   <-- set action to block
            next
         end
      end
   next
end
To validate that you have blocked a category:
  1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page and the category that is blocked.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Web Filter.

To view the log of a blocked website in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=13:46:25 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf="wan2" srcintfrole="wan" dstip=54.183.57.55 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" hostname="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=386 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology"

Sample configuration of issuing a warning

This example shows issuing a warning when a user visits a website based on its category (rating), for example, information technology.

To configure a warning in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Warning.

  4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to continue.
To configure a warning in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning  <-- set action to warning
                next
            end
        end
    next
end
To validate that you have configured the warning:
  1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page where you can choose to Proceed or Go Back.

Sample configuration of authenticating a web category

This example shows authenticating a website based on its category (rating), for example, information technology.

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Authenticate.

  4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
  5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this feature.

To authenticate a category in the CLI:
config webfilter profile
   edit "webfilter"
     config ftgd-wf
        unset options
        config filters
          edit 1
            set category 52
            set action authenticate         <-- set the action of authenticate
            set auth-usr-grp "local_group"  <-- user to authenticate
          next
        end
     end
   next
end
To validate that you have configured authentication:
  1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page where you can choose to Proceed or Go Back.

  2. Click Proceed to check that the authentication page appears.

  3. Enter the username and password of the user group you selected, and click Continue.

    If the credentials are correct, the traffic is allowed through.

Sample customization of the replacement page

When the FortiGuard Web Filter action is Block, Warning, or Authenticate, there is a Customize option for you to customize the replace page.

To customize the replace page:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.
  2. Right-click the item and select Customize.

  3. A pane appears for you to customize the page.

FortiGuard filter

FortiGuard filter

To use this service, you must have a valid subscription on your FortiGate.

FortiGuard filter enhances the Web Filter features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories that users can allow or block.

FortiGuard Web Filter services includes over 45 million individual website rating that applies to more than two billion pages. When FortiGuard filter is enabled in a Web Filter and is applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard Web Filter action

You can select one of the following FortiGuard Web Filter actions:

FortiGuard Web Filter Action

Description

Allow

Permit access to the sites in the category.

Block

Prevent access to the sites in the category. Users trying to access a blocked site sees a replacement message indicating the site is blocked.

Monitor

Permits and logs access to sites in the category. You can enable user quotas when you enable this action.

Warning

Displays a message to the user allowing them to continue if they choose.

Authenticate

Requires the user to authenticate with the FortiGate before allowing access to the category or category group.

FortiGuard Web Filter categories

FortiGuard has many Web Filter categories including two local categories and a special remote category. For more information on the different categories, see the table below.

FortiGuard Web Filter category

Where to find more information

All URL categories

https://fortiguard.com/webfilter/categories.

Remote category

External resources for web filter.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of local category and not external or FortiGuard built-in category.

Sample configuration of blocking a web category

This example shows blocking a website based on its category (rating), for example, information technology.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Block.

To block a category in the CLI:
config webfilter profile
   edit "webfilter"
      config ftgd-wf
         unset options
         config filters
            edit 1
               set category 52    <-- the pre-set id of "information technology" caterogy
               set action block   <-- set action to block
            next
         end
      end
   next
end
To validate that you have blocked a category:
  1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page and the category that is blocked.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Web Filter.

To view the log of a blocked website in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=13:46:25 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf="wan2" srcintfrole="wan" dstip=54.183.57.55 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" hostname="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=386 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology"

Sample configuration of issuing a warning

This example shows issuing a warning when a user visits a website based on its category (rating), for example, information technology.

To configure a warning in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Warning.

  4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to continue.
To configure a warning in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning  <-- set action to warning
                next
            end
        end
    next
end
To validate that you have configured the warning:
  1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page where you can choose to Proceed or Go Back.

Sample configuration of authenticating a web category

This example shows authenticating a website based on its category (rating), for example, information technology.

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.

  2. Open the General Interest - Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Authenticate.

  4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
  5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this feature.

To authenticate a category in the CLI:
config webfilter profile
   edit "webfilter"
     config ftgd-wf
        unset options
        config filters
          edit 1
            set category 52
            set action authenticate         <-- set the action of authenticate
            set auth-usr-grp "local_group"  <-- user to authenticate
          next
        end
     end
   next
end
To validate that you have configured authentication:
  1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page where you can choose to Proceed or Go Back.

  2. Click Proceed to check that the authentication page appears.

  3. Enter the username and password of the user group you selected, and click Continue.

    If the credentials are correct, the traffic is allowed through.

Sample customization of the replacement page

When the FortiGuard Web Filter action is Block, Warning, or Authenticate, there is a Customize option for you to customize the replace page.

To customize the replace page:
  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.
  2. Right-click the item and select Customize.

  3. A pane appears for you to customize the page.