FortiGuard filter
The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.
The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.
To use this service, you must have a valid FortiGuard license.
The following actions are available:
FortiGuard web filter action |
Description |
---|---|
Allow |
Permit access to the sites in the category. |
Monitor |
Permit and log access to sites in the category. User quotas can be enabled for this option (see Usage quota). |
Block |
Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked. |
Warning |
Display a message to the user allowing them to continue if they choose. |
Authenticate |
Require the user to authenticate with the FortiGate before allowing access to the category or category group. |
Disable |
Remove the category from the from the web filter profile. This option is only available for local or remote categories from the right-click menu. |
FortiGuard web filter categories
FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:
FortiGuard web filter category |
Where to find more information |
---|---|
All URL categories |
|
Local categories |
See Web rating override. |
Remote category |
See Threat feeds. |
The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.
Blocking a web category
The following example shows how to block a website based on its category. The Information Technology category (category 52) will be blocked.
To block a category in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Block.
-
Configure the remaining settings as needed.
-
Click OK.
To block a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action block next end end next end
To verify that the category is blocked:
-
Go to a website that belongs to the blocked category, such as www.fortinet.com.
The page should be blocked and display a replacement message.
To view the log of a blocked website in the GUI:
-
Go to Log & Report > Security Events.
-
Click the Web Filter card name.
-
Select an entry with blocked in the Action column and click Details.
To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter # execute log display 4: date=2023-08-08 time=16:11:46 eventtime=1691536306310528927 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="4a4b9d00-e471-51ed-71ec-c1a3bc8f773c" policytype="policy" sessionid=1048 srcip=1.1.1.2 srcport=43218 srccountry="Australia" srcintf="internal7" srcintfrole="lan" srcuuid="45eec070-e471-51ed-4b1c-930f37c5d882" dstip=44.240.173.227 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="45eec070-e471-51ed-4b1c-930f37c5d882" proto=6 service="HTTPS" hostname="www.fortinet.com" profile="default" action="blocked" reqtype="direct" url="https://www.fortinet.com/" sentbyte=684 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology"
Allowing users to override blocked categories
There is an option to allow users with valid credentials to override blocked categories.
To allow users to override blocked categories in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
Enable Allow users to override blocked categories.
-
Enter information in the following fields:
-
Groups that can override
-
Profile name
-
Switch applies to
-
Switch Duration
-
-
Configure the other settings as needed.
-
Click OK.
To allow users to override blocked categories in the CLI:
config webfilter profile edit "webfilter" set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override config override set ovrd-user-group "radius_group" set profile "webfilter" end config ftgd-wf unset options end next end
Issuing a warning on a web category
The following example shows how to issue a warning when a user visits a website in a specific category (Information Technology, category 52).
To configure a warning for a category in the GUI:
-
Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Warning.
-
Set the Warning Interval, then click OK.
The warning interval is the amount of time until the warning appears again after the user proceeds past it.
-
Configure the remaining settings as needed.
-
Click OK.
To configure a warning for a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action warning next end end next end
To verify that the warning works:
-
Go to a website that belongs to the category, such as www.fortinet.com.
-
On the warning page, click Proceed or Go Back.
Authenticating a web category
The following example shows how to authenticate a website based on its category (Information Technology, category 52).
To authenticate a category in the GUI:
-
Go to Security Profiles > Web Filter and edit or create a new web filter profile.
-
In the FortiGuard category based filter section, select Information Technology, then click Authenticate.
-
Set the Warning Interval and select one or more user groups, then click OK.
-
Configure the remaining settings as needed.
-
Click OK.
To authenticate a category in the CLI:
config webfilter profile edit "webfilter" config ftgd-wf unset options config filters edit 1 set category 52 set action authenticate set auth-usr-grp "local_group" next end end next end
To verify that you have configured authentication:
-
Go to a website that belongs to the category, such as www.fortinet.com.
-
On the warning page, click Proceed.
-
Enter the username and password for the configured user group, then click Continue.
Customizing the replacement message page
When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.
To customize the replacement message page:
-
Go to Security Profiles > Web Filter and edit or create a new web filter profile.
-
In the FortiGuard category based filter section, right-click on a category and select Customize.
-
Select a Replacement Message Group. See Replacement message groups for details.
-
Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.
-
Click Save.
-
Configure the remaining settings as needed.
-
Click OK.