Mastering WebFiltering in FortiGate Firewall Configuration 1717349652

1|Page|Mani Pahlavanzadeh
Mastering
Web Filtering Configuration
in FortiGate
Mani Pahlavanzadeh
mani.pahlavan@gmail.com
ManiPahlavanzadeh
After completing this document, you will be able to achieve these

objectives about Web Filtering as a Security Option in FortiGate:
• Why using Web Filtering?
• When does Web Filtering Activate?
• Web Filtering Inspection Modes
• SSL Certificate Inspection
▪ Configure SSL Certificate Inspection
• Configuring Web Filter Profile
• Configure Web Filter Profile – Flow Based
• Configure Web Filter Profile – Proxy Based
• FortiGuard Category Filters
▪ Web Filter FortiGuard Category Action (Block)
▪ Web Filter FortiGuard Category Action (Monitor)
▪ Web Filter FortiGuard Category Action (Warning)
▪ Web Filter FortiGuard Category Action (Authenticate)
▪ Customizing the replacement message page
• Web profile override
▪ Administrative override
▪ Allow users to override blocked categories
• Search Engines
▪ Safe search
▪ Restrict YouTube and Vimeo access
▪ Log all search keywords
• Static URL Filter
▪ Block invalid URLs
▪ URL Filter
▪ Block malicious URLs discovered by FortiSandbox
▪ Web content filter
• Rating Options
▪ Allow websites when a rating error occurs
▪ Rate URLs by domain and IP address
• Proxy Options
▪ Restrict Google account usage to specific domains
▪ HTTP POST action
▪ Remove Java applets, ActiveX, and cookies
• HTTP Inspection Order

• Troubleshooting the FortiGuard Connection
▪ Web Filter cache
• Troubleshooting Web Filtering Issues
• Web Filter Log
• LAB-1: Configuring FortiGuard Web Filtering
• LAB-2: Configuring Static URL Filtering

Why do organizations, and people in general, use web filtering?

Web filtering helps to control, or track, the websites that people visit.
There are many reasons why network administrators would apply web filtering:
• To limit access to distracting web sites, such as social networking sites, to keep their employees
focused on work and maintain productivity.
• To prevent network congestion by making sure users do not use valuable bandwidth for non-
business purposes, such as streaming a video.
• To decrease exposure to web-based threats by limiting access to potentially harmful websites.
• To limit liability, if employees attempt to download inappropriate or offensive material.
• To prevent users from viewing inappropriate material.
Web filtering restricts or controls user access to web resources and can be applied to firewall
policies using either policy-based or profile-based NGFW mode.
In FortiOS, there are three main components of web filtering:
• Web content filter: blocks web pages containing words or patterns that you specify.
• URL filter: uses URLs and URL patterns to block or exempt web pages from specific
sources, or block malicious URLs discovered by FortiSandbox.
• FortiGuard Web Filtering service: provides many additional categories you can use to
filter web traffic.
These components interact with each other to provide maximum control over what users on your
network can view and protect your network from many internet content threats.
Web filters are applied in the following order:
1. URL filter
2. FortiGuard Web Filtering
3. Web content filter
4. Web script filter
5. Antivirus scanning
Some features of this functionality require a subscription to FortiGuard Web

Filtering.
As shown in this HTTP filter process flow example, FortiGate looks for the HTTP GET request to
collect URL information and perform web filtering.
In HTTP, the domain name and URL are separate parts. The domain name might look like the
following in the header: Host: www.acme.com, and the URL might look like the following in
the header: /index.php?login=true.
If you filter by domain, sometimes it blocks too much. For example, the blogs on tumblr.com
are considered different content, because of all the different authors. In that case, you can be
more specific, and block by the URL part, tumblr.com/hacking, for example.
In the default profile-based mode, FortiGate provides two inspection modes (flow-based and
proxy-based) to perform web filtering.
You can configure web filtering in 2 ways:

• Flow-based inspection mode
• Proxy-based inspection mode
Flow-based inspection mode

Flow-based inspection mode examines the file as it passes through FortiGate. Packets are
analyzed and forwarded as they are received. Original traffic is not altered. Therefore, advanced
features that modify content, such as safe search enforcement, are not supported.
The advantages of flow-based inspection mode are:

• The user sees a faster response time for HTTP requests compared to proxy-based inspection
mode.
• There is less chance of a time-out error caused by the server at the other end responding
slowly.
The disadvantages of flow-based inspection mode are:

• A number of security features that are available in proxy-based inspection mode are not
available in flow-based inspection mode.
• Fewer actions are available based on the categorization of the website by FortiGuard services.
Proxy-based inspection mode

On the other hand, proxy-based scanning refers to transparent proxy. It’s called transparent
because, at the IP layer, FortiGate is not the destination address, but FortiGate does intercept the
traffic. When proxy-based inspection is enabled, FortiGate buffers traffic and examines it as a
whole, before determining an action. Because FortiGate examines the data as a whole, it can
examine more points of data than it does when using flow-based inspection.
The proxy analyzes the headers and may change the headers, such as HTTP host and URL, for web
filtering. If a security profile decides to block the connection, the proxy can send a replacement
message to the client. This adds latency to the overall transmission speed.
For encrypted protocols, FortiGate requires additional inspection. When using SSL certificate
inspection (Not SSL Deep-Inspection), FortiGate doesn’t decrypt or inspect any encrypted traffic.
Using this method, FortiGate inspects only the initial unencrypted SSL handshake.
• If the SNI (Server Name Identification) field exists, FortiGate uses it to obtain the FQDN to
rate the site.
• If the SNI isn’t present, FortiGate retrieves the FQDN from the CN field of the server
certificate.
• In some cases, the CN server name might not match the requested FQDN. For example, the
value of the CN field in the digital certificate of youtube.com is google.com. So, if you
connect to youtube.com from a browser that doesn’t support SNI, and FortiGate uses the
SSL certificate inspection method, FortiGate assumes, incorrectly, that you are connecting
to google.com, and uses the google.com category instead of the category for youtube.com
SSL certificate inspection works correctly with web filtering, because the full payload
does not need to be inspected.
10 | P a g e | M a n i P a h l a v a n z a d e h
Configure SSL Certificate Inspection
• FortiGate has a read-only preconfigured profile for SSL certificate inspection named
certificate-inspection. If you want to enable SSL certificate inspection, select this profile
when configuring a firewall policy.
• Alternatively, you can create your own profile for SSL certificate inspection by following
these steps:
1. On the FortiGate GUI, click Security Profiles, and then click SSL/SSH Inspection.
2. Click Create New to create a new SSL/SSH inspection profile.
3. Select Multiple Clients Connecting to Multiple Servers, and then click SSL Certificate
Inspection.
4. Select the action for Server certificate SNI check.

➢ When the Server certificate SNI check configuration is Enable, FortiGate uses the
domain in the CN field instead of the domain in the SNI field if the domain in the
SNI field does not match any of the domains listed in the CN and SAN fields.
➢ With Strict, FortiGate closes the client connection if there is a mismatch.
➢ When SNI check is Disable, FortiGate always rates URLs based on the FQDN.
FortiOS includes three preloaded web filter profiles:

• default
• monitor-all (monitors and logs all URLs visited, flow-based)
• wifi-default (default configuration for offloading WiFi traffic)
You can customize these profiles, or you can create your own to manage network user access.
The feature set setting (proxy or flow) in the web filter profile must match the
inspection mode setting (proxy or flow) in the associated firewall policy. For example,
a flow-based web filter profile must be used with a flow-based firewall policy.
An SSL inspection profile (such as the certificate-inspection profile) and a web filter
profile must both be selected in the associated firewall policy.
Some web filter profile options can only be configured in the CLI.
Flow Based
Flow-based inspection has fewer available options than Proxy-based inspection mode.
After you configure your web filter profile, you can apply this profile to the firewall policy
configured to use flow-based inspection mode, so the filtering is applied to your web traffic.
Proxy Based
In the example shown on this slide, the security profile is configured to use a proxy-based feature
set. It provides features specific to proxy-based configuration.
After you configure your web filter profile, you can apply this profile to the firewall policy
configured to use proxy-based inspection mode, so the filtering is applied to your web traffic.
To configure a web filter profile:

1. Go to Security Profiles > Web Filter and click Create New.
2. Configure the following settings:
Name Enter a unique name for the profile.
Comments (Optional) Enter a comment.
Feature set Select the feature set for the profile. The feature set mode must match the
inspection mode used in the associated firewall policy.
• Flow-based
• Proxy-based
Additional options are available in proxy-based mode and are identified in the
GUI with a P icon.
If the Feature set option is not visible, enter the following in the CLI:
config system settings
set gui-proxy-inspection enable
end
FortiGuard Category Enable to use the category-based filters from FortiGuard. A default action is
Based Filter assigned to each category, and you can change the action.
Category Usage Quota This option is available in proxy-based mode and can be applied to categories
set to Monitor, Warning, and Authenticate.
Allow users to override Enable to allow certain users or user groups to override websites blocked by
blocked categories web filtering profiles for a specified length of time.
Groups that can override Select one or more user groups that can override blocked websites. The user
group must be specified as the Source in the firewall policies using this profile.
Profile Name Select what web filter profiles can be overridden.
Switch applies to Specify whether the override applies to a User, User Group, or IP address.
Alternately select Ask to prompt the user to log in to access the web page.
Switch duration Select Predefined to specify how many days, hours, and minutes to allow the
override. Select Ask to prompt the user to specify how long to allow the
override.
Search Engines
Enfore 'Safe Search' on Enable to prevent explicit websites and images from appearing in search results.
Google, Yahoo!, Bing,
Yandex
Restrict YouTube Access Enable to filter out potentially mature videos.
Log all search keywords This option is available in proxy-based mode. Enable to log all search phrases.
Static URL Filter
Block invalid URLs Enable to block websites when their SSL certificate CN field lacks a valid domain
name.
URL Filter Enable to specify URL patterns and an action for FortiGate to take when
matching URL patterns are found in traffic.
Block malicious URLs Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be
discovered by connected to a registered FortiSandbox.
FortiSandbox
Content Filter Enable to specify word or patterns to be used to identify and control access to
web pages.
Rating Options
Allow websites when a Enable to allow access to websites that return a rating error from the FortiGuard
rating error occurs Web Filter service.
Rate URLs by domain Enable for FortiGate to always send both the URL domain name and the TCP/IP
and IP address packet's IP address (except for private IP addresses) to FortiGuard for rating.
Proxy Options
Restrict Google account This option is available in proxy-based mode. Enable to block access to certain
usage to specific Google accounts and services.
domains
HTTP POST Action Enable to specify how to handle HTTP POST traffic.
Remove Java Applets This option is available in proxy-based mode. Enable to remove Java applets
from web traffic.
Remove ActiveX This option is available in proxy-based mode. Enable to remove ActiveX from
web traffic.
Remove Cookies Enable to remove cookies from web traffic.
3. Click OK.
I want to explain these options in detail.

For web filtering, FortiGate can use FortiGuard category filters to control web access. FortiGuard
categories are derived from the FortiGuard web filtering service.
The service includes the FortiGuard URL Categories Database, which sorts billions of web pages
into a wide range of rating categories.
https://www.fortiguard.com/webfilter/categories
Each category contains websites or web pages that have been assigned based on their dominant
web content. These categories can, in turn, be blocked or allowed according to their content. The
database categorizes web content based on its viewing suitability for three major groups of
consumers: enterprises, schools, and home and families.
For example, Twitter is categorized as part of the General Interest - Personal category. While
Dropbox is categorized as part of the Bandwidth Consuming category.
Note that, categories can be further divided into subcategories. The General Interest - Personal
category includes subcategories such as Social Networking, News and Media. While the
Bandwidth Consuming category includes subcategories such as File Sharing and Storage,
Internet Telephony, and Streaming Media and Download.
Website categories are determined by both automated and human methods. The FortiGuard
team has automatic web crawlers that look at various aspects of the website in order to come up
with a rating. There are also people who examine websites and look into rating requests to
determine categories.
To review the complete list of categories and subcategories, visit:

www.fortiguard.com/webfilter/categories
To search for the category for a specific URL, visit:

www.fortiguard.com/webfilter
The www.fortiguard.com website includes a Web Filtering service. This service is designed to
assist you to identify the category and rating of a URL.
Using the information that the FortiGuard Web Filtering service provides you can gain insights
into the content and reputation of URLs.
This service is useful to analyze whether the category-based filter in the web filter profile is
allowing or blocking a specific URL as expected.
In the web filter profile, Fortiguard category filtering enhances the web filter features. Rather
than block or allow websites individually, it looks at the category that a website has been rated
with. Then, FortiGate takes action based on that category, not based on the URL.
The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply
to more than two billion pages.
When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a
request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent
to the nearest FortiGuard server. The URL category or rating is returned.
• If the category is blocked, the FortiGate shows a replacement message in place of the
requested page.
• If the category is not blocked, the page request is sent to the requested URL as normal.
FortiGuard category filtering is a live service that requires an active contract. The contract
validates connections to the FortiGuard network. If the contract expires, there is a two-day grace
period during which you can renew the contract before the service ends. If you do not renew,
after the two-day grace period, FortiGate reports a rating error for every rating request made. In
addition, by default, FortiGate blocks web pages that return a rating error. You can change this
behavior by enabling the Allow websites when a rating error occurs setting.
Security Profiles > Web Filter > Rating Options > Allow websites when a rating error occurs
You can configure FortiManager to act as a local FortiGuard server. To do this, you must
download the databases to FortiManager, and configure FortiGate to validate the categories
against FortiManager, instead of FortiGuard.
You can enable the FortiGuard category filtering on the web filter profile. Categories are listed,
and you can customize the actions to perform individually. In the default profile-based mode, the
actions available are Allow, Monitor, Block, Warning, and Authenticate.
The following actions are available:

FortiGuard web filter Description
action
Allow Permit access to the sites in the category.
Monitor Permit and log access to sites in the category. User quotas can be enabled for this
option.
Block Prevent access to the sites in the category. Users trying to access a blocked site see a
replacement message indicating the site is blocked.
Warning Display a message to the user allowing them to continue if they choose.
Authenticate Require the user to authenticate with the FortiGate before allowing access to the
category or category group.
Disable Remove the category from the web filter profile.

This option is only available for local or remote categories from the right-click menu.
Web Filter FortiGuard Category Action

(Block)
To block a category in the GUI:
1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
2. In the FortiGuard Category Based Filter section, select Information Technology, then
click Block.
3. Configure the remaining settings as needed.

4. Click OK.
To verify that the category is blocked:

1. Go to a website that belongs to the blocked category, such as www.fortinet.com.
The page should be blocked and display a replacement message.
To view the log of a blocked website in the GUI:

1. Go to Log & Report > Security Events.
2. Click the Web Filter card name.
3. Select an entry with Blocked in the Action column and click Details.

(Monitor)
Besides the Allow and Block actions, which respectively permit and block access to the sites, the
Monitor action allows access to the sites in the category and logs it at the same time.
In proxy-based mode, you can also configure a usage quota.
Category Usage Quota

In Proxy-Based mode, you can also configure a usage quota.

Quotas allow daily access for a specific length of time or specific bandwidth, and are calculated
separately for each user. you can set a daily quota by category, category group, or classification.
At midnight, quotas reset. Once the daily quota is reached for a category, FortiGate blocks the
traffic and displays a replacement message page.
Quotas can be set for the Monitor, Warning, or Authenticate actions.
Configuring a quota
The following example shows how to set a time quota for the education category (category 30).
To configure a quota in the GUI:

2. For Feature set, select Proxy-based.
3. In the FortiGuard Category Based filter section, scroll to the General Interest -
Personal and click the + to expand the section.
4. Select Education, then click Monitor.
5. In the Category Usage Quota section, click Create New.

The New/Edit Quota pane opens.
6. In the Category field, select Education.

7. For the Quota Type, select Time and set the Total quota to 5 minutes.
8. Click OK. The entry appears in the table.
9. Configure the other settings as needed.

10.Click OK.
To verify the quota usage:

1. Go to a website that belongs to the education category, such
https://www.harvard.edu/. You can view websites in that category at the
moment.
2. In FortiOS, go to Dashboard > FortiGuard Quota Monitor to check the used and
remaining time.
3. When the quota reaches its limit, traffic is blocked and the replacement page displays.

(Warning)
The Warning action informs users that the requested website is not allowed by the internet
policies. However, the action gives the user the option to proceed to the requested website, or
return to the previous website.
You can customize the warning interval. When the timer expires, FortiGate displays the warning
message again if you access other websites in the same category.
You can customize the warning replacement message. By default, it provides information of the
URL and its corresponding category. With this information, the user can click Proceed to override
the internet usage policy.
Issuing a warning on a web category

The following example shows how to issue a warning when a user visits a website in a specific
category (Information Technology, category 52).
To configure a warning for a category in the GUI:

click Warning.
3. Set the Warning Interval, then click OK.
The warning interval is the amount of time until the warning appears again after the
user proceeds past it.

5. Click OK.
To verify that the warning works:

1. Go to a website that belongs to the category, such as www.fortinet.com.
2. On the warning page, click Proceed or Go Back.

(Authenticate)
The Authenticate action blocks the requested websites, unless the user enters a successful
username and password. FortiGate supports local and remote authentication using LDAP,
RADIUS, and so on for web filtering authentication. Choosing this action prompts you to define
user groups that are allowed to override the block.
You can also customize the interval of time to allow access. Users are not prompted to
authenticate again if they access other websites in the same category until the timer expires.
Authenticating a web category

The following example shows how to authenticate a website based on its category (Information
Technology, category 52).
To authenticate a category in the GUI:

1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
click Authenticate.
3. Set the Warning Interval and select one or more user groups, then click OK.

5. Click OK.
To verify that you have configured authentication:

1. Go to a website that belongs to the category, such as www.fortinet.com.
2. On the warning page, click Proceed.
3. Enter the username and password for the configured user group, then click Continue.
Customizing the replacement message page

When the category action is Block, Warning, or Authenticate, you can customize the replacement
message page that a user sees.
To customize the replacement message page:

1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
2. In the FortiGuard Category Based Filter section, right-click on a category and
select Customize.
3. Select a Replacement Message Group.
4. Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make
modifications.
5. Click Save.
7. Click OK.
Replacement message groups

Replacement message groups allow users to customize replacement messages for individual
policies and profiles.
There are two types of replacement message groups:
Type Usage Customizable categories
utm Used with UTM settings in firewall policies. Admin/ alertmail/

(Unified threat management (UTM) refers to when multiple security custom-message/
features or services are combined into a single device within your
network. Using UTM, your network’s users are protected with several fortiguard-wf / ftp /
http / icap / mail /
different features, including antivirus, content filtering, email and web
filtering, anti-spam, and more.) nac-quar / spam/
sslvpn / traffic-quota
/ utm / webproxy
auth Used with authentication pages in firewall policies. • auth

• webproxy
The messages added to a group do not need to be customized. The message body content,
header type, and format will use the default values if not customized.
To make replacement message groups visible in the GUI:

config system global
set gui-replacement-message-groups enable
end
In the following example, two replacement message groups are created:
➢ The UTM message group includes custom mail-related messages and is assigned to an
email filter profile.
➢ The authentication message group has a custom authentication success message that is
applied to a proxy-based firewall policy that has an assigned email filter profile.
To create replacement message groups in the GUI:

1. Create the Security replacement message group:
1. Go to System > Replacement Message Groups.
2. Click Create New.
3. For Name, enter newutm.
4. In the Comments field, enter UTM message group.
5. For Group Type, select Security.
6. Click OK.
2. Customize the replacement messages in the newutm group:

2. Edit the newutm group.
3. Select the Partial Email Block Message.
4. Edit the message and click Save.

5. Select the ASE Block Message.
6. Edit the message and click Save.
3. Create the Authentication replacement message group:
3. For Name, enter newauth.
4. In the Comments field, enter Authentication message group.
5. For Group Type, select Authentication.
6. Click OK.
The following profile override methods are available:

• Administrative override
• Allow users to override blocked categories
Administrative override
Administrators can grant temporary access to sites that are otherwise blocked by a web filter
profile. You can grant temporary access to a user, user group, or source IP address. You can set
the time limit by selecting a date and time. The default is 15 minutes.
When the administrative web profile override is enabled, a blocked access page or replacement
message does not appear, and authentication is not required.
Scope range
You can choose one of the following scope ranges:
• User: authentication for permission to override is based on whether or not the user is using
a specific user account.
• User group: authentication for permission to override is based on whether or not the user
account supplied as a credential is a member of the specified user group.
• Source IP: authentication for permission to override is based on the IP address of the
computer that was used to authenticate. This would be used for computers that have
multiple users. For example, if a user logs on to the computer, engages the override by
using their credentials, and then logs off, anyone who logs on with an account on that
computer would be using the alternate override web filter profile.
When you enter an IP address in the administrative override

method, only individual IP addresses are allowed.
Differences between IP and identity-based scope

Using the IP scope does not require using an identity-based policy.
When using the administrative override method and IP scope, you might not see a warning
message when you change from using the original web filter profile to using the alternate profile.
There is no requirement for credentials from the user so, if allowed, the page will just appear in
the browser.
Configuring a web profile administrative override

This example describes how to override the webfilter profile with the webfilter_new profile.
To configure web profile administrative override using the GUI:

1. Go to Security Profiles > Web Profile Overrides and click Create New.
2. Configure the administrative override:
1. For Scope Range, click Source IP.
2. In the Source IP field, enter the IP address for the client computer (10.1.100.11 in
this example).
3. In the Original profile dropdown, select webfilter.
4. In the New profile dropdown, select webfilter_new.
In the Expires field, the default 15 minutes appears, which is the desired duration for this
example.
3. Click OK.
Allow users to override blocked categories

For both override methods, the scope ranges (for specified users, user groups, or IP addresses)
allow sites blocked by web filtering profiles to be overridden for a specified length of time.
But there is a difference between the override methods when the users or user group scope
ranges are selected. In both cases, you would need to apply the user or user group as source in
the firewall policy. With administrative override, if you do not apply the source in the firewall
policy, the traffic will not match the override and will be blocked by the original profile. With
the Allow users to override blocked categories setting, the traffic will also be blocked, but instead
of displaying a blocking page, the following message appears:
When you choose the user group scope, once one user overrides, it will affect the other users in
the group when they attempt to override. For example, user1 and user2 both belong to the
local_user group. Once user1 successfully overrides, this will generate an override entry for the
local_user group instead of one specific user. This means that if user2 logs in from another PC,
they can override transparently.
Other features
Besides the scope, there are some other features in Allow users to override blocked categories.
Apply to user groups

Individual users can not be selected. You can select one or more of the user groups recognized by
the FortiGate. They can be local to the system or from a third-party authentication device, such as
an AD server through FSSO.
Switch duration
Administrative override sets a specified time frame that is always used for that override. The
available options are:
• Predefined: the value entered is the set duration (length of time in days, hours, or
minutes) that the override will be in effect. If the duration variable is set to 15 minutes,
the length of the override will always be 15 minutes. The option will be visible in the
override message page, but the setting will be grayed out.
• Ask: the user has the option to set the override duration once it is engaged. The user can
set the duration in terms of days, hours, or minutes.
Creating a web profile users override

This example describes how to allow users in the local_group to override the webfilter_new profile.
To allow users to override blocked categories using the GUI:

1. Go to Security Profiles > Web Filter and click Create New.
2. Enter a name for the profile.
3. Enable Allow users to override blocked categories.
4. Configure the web filter profile:
1. Click the Groups that can override field, and select a group (local_group in
this example).
2. Click the Profile Name field, and select the webfilter_new profile.
3. For the Switch applies to field, click IP.
4. For the Switch Duration field, click Predefined. The default 15 minutes
appears, which is the desired duration for this example.
5. Configure the rest of the profile as needed.
5. Click OK.
Using the ask feature

This option is only available in Allow users to override blocked categories is enabled. It configures
the message page to have the user choose which scope they want to use. Normally on the
message page, the scope options are grayed out and not editable. In the following example,
the Scope is predefined with IP.
When the ask option is enabled (through the Switch applies to field in the GUI),
the Scope dropdown is editable. Users can choose one of the following:
• User
• User group
• IP
User and User Group are only available when there is a user group in the firewall
policy. You must specify a user group as a source in the firewall policy so the scope
includes User and User Group; otherwise, only the IP option will be available.
This topic gives examples of the following advanced filter features:

• Safe search
• Restrict YouTube and Vimeo access
• Log all search keywords
Safe search
This setting applies to popular search sites and prevents explicit websites and images from
appearing in search results.
Although Safe Search is a useful tool, especially in educational environments, the resourceful user
may be able to simply turn it off. Enabling Safe Search for the supported search sites enforces its
use by rewriting the search URL to include the code to indicate the use of the Safe Search feature.
For example, on a Google search it would mean adding the string “&safe=active” to the URL in the
search.
The safe search feature is not supported in flow inspection mode.
The supported search sites are:
• Google
• Yahoo
• Bing
• Yandex
To enable safe search in the GUI:

2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing,
Yandex.
3. Click OK.
Restrict YouTube and Vimeo access

The Restrict YouTube access setting in the Web filter profile adds the HTTP header:
YouTube-Restrict: Strict or YouTube-Restrict: Moderate into the HTTP
request when enabled. When YouTube reads this header, it applies the appropriate content
restriction based on the selected mode. YouTube Restricted Mode is an optional setting that
filters out potentially mature videos while leaving a large number of videos still available.
Google defines the restricted YouTube access modes as follows:
• Strict Restricted YouTube access: this setting is the most restrictive. Strict Restricted
Mode does not block all videos, but works as a filter to screen out many videos based on
an automated system, while leaving some videos still available for viewing.
• Moderate Restricted YouTube access: this setting is similar to Strict Restricted Mode but
makes a much larger collection of videos available.
To restrict YouTube access in the GUI:

2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing,
Yandex to display the Restrict YouTube Access option.
When safe-search is set to header in the CLI, the Restrict YouTube Access option is
visible in the GUI.
3. Enable Restrict YouTube Access and select either Strict or Moderate.
4. Click OK.
It is recommended to set safe-search to url and header because some search engines,
such as Google, use the URL, and other search engines, such as Bing, use the header.
When you enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex in the
GUI, safe-search is set to url header in the CLI.
To restrict YouTube access in the CLI:

config webfilter profile
edit <name>
config web
set safe-search url header
set youtube-restrict {none | strict | moderate}
end
next
end
To restrict Vimeo access:

config webfilter profile
edit <name>
config web
set safe-search url header
set vimeo-restrict {7 | 134}
end
next
end
vimeo-restrict {7 | 134} Set the Vimeo restriction:

• 7: do not show mature content
• 134: do not show unrated and mature content
Log all search keywords

Use this setting to log all search phrases.
This filter is only available in proxy-based inspection mode.
To enable logging search keywords in the GUI:

2. In the Search Engines section, enable Log all search keywords.
3. Click OK.

• Block invalid URLs
• URL filter
• Block malicious URLs discovered by FortiSandbox
• Web content filter
Block invalid URLs

Use this setting to block websites when their SSL certificate CN field does not contain a valid
domain name.
This option also blocks URLs that contains spaces. If there is a space in the URL, it must be written
as %20 in the URL path.
To block invalid URLs in the GUI:

2. In the Static URL Filter section, enable Block invalid URLs.
3. Click OK.
URL Filter
Static URL filtering is another web filter feature, which provides more granularity. Configured
URLs in the URL filter are checked from top to bottom against the visited websites. If FortiGate
finds a match, it applies the configured action.
Once a URL filter is configured, it can be applied to a firewall policy.
The following filter types are available:
URL filter Description

type
Simple The FortiGate tries to strictly match the full context. For example, if you
enter www.facebook.com in the URL field, it only matches traffic
with www.facebook.com. It won't match facebook.com or message.facebook.com.
When the FortiGate finds a match, it performs the selected URL action.
A simple URL Filter entry must be in the format of a standard URL, and they can
include sub-domains and paths.
- Examples include: 'fortinet.com', 'fortinet.com/support', 'support.fortinet.com',
'net.com', etc.
Regular The FortiGate tries to match the pattern based on the rules of regular expressions or
expression/ wildcards. For example, if you enter *fa* in the URL field, it matches all the content
wildcard that has fa such as www.facebook.com, message.facebook.com, fast.com, and so on.
When the FortiGate finds a match, it performs the selected URL action.
The following actions are available:
URL filter action Description
Exempt The traffic is allowed to bypass the remaining FortiGuard web filters, web
content filters, web script filters, antivirus scanning, and DLP proxy operations.
Block The FortiGate denies or blocks attempts to access any URL that matches the
URL pattern. A replacement message is displayed.
Allow The traffic is passed to the remaining FortiGuard web filters, web content
filters, web script filters, antivirus proxy operations, and DLP proxy operations.
If the URL does not appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For
the Monitor action, a log message is generated each time a matching traffic
pattern is established.
The exempt URL filter action can be configured to bypass all or certain security profile operations. This
setting can only be configured in the CLI.
To create a URL filter for Facebook in the GUI:

2. In the Static URL Filter section, enable URL Filter.
3. Click Create New. The New URL Filter pane opens.
4. For URL, enter *facebook.com, for Type, select Wildcard, and for Action, select Block.

7. Click OK.
To apply the web filter profile to a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.
2. Edit a policy, or create a new one.
3. In the Security Profiles section, enable Web Filter and select the profile that you created.
4. Set SSL Inspection to certificate-inspection.

6. Click OK.
Verify the URL filter results by going to a blocked website. For example, when you go to the
Facebook website, the replacement message appears:
To check web filter logs in the GUI:

1. Go to Log & Report > Security Events.
2. Click the Web Filter card name.
3. If there are a lot of log entries, click Add Filter and select Event Type > urlfilter to
display logs generated by the URL filter.
Block malicious URLs discovered by FortiSandbox

This setting blocks malicious URLs that FortiSandbox finds. Your FortiGate must be connected to a
registered FortiSandbox.
To block malicious URLs discovered by FortiSandbox in the GUI:

2. In the Static URL Filter section, enable Block malicious URLs discovered by FortiSandbox.
3. Click OK.
Web content filter

You can control access to web content by blocking webpages containing specific words or
patterns. This helps to prevent access to pages with questionable material. You can specify words,
phrases, patterns, wildcards, and regular expressions to match content on webpages.
You can use multiple web content filter lists and select the best one for each web filter profile.
The maximum number of web content patterns in a list depends on the model of the device. To
find the maximum number of web content patterns allowed for a device, go to the Maximum
Values Table (https://docs.fortinet.com/max-value-table). Select the software version and
models, and click Go. Maximum values are displayed. In the Search box,
enter webfilter.content:entries to find the maximum number.
When configuring a web content filter list, the following patterns are available:
Web content Description

pattern type
Wildcard Use this setting to block or exempt one word or text strings of up to 80
characters. You can also use wildcard symbols such as ? or * to represent one
or more characters. For example, a wildcard
expression forti*.com matches fortinet.com and fortiguard.com.
The * represents any character appearing any number of times.
Regular Use this setting to block or exempt patterns of regular expressions that use
expression some of the same symbols as wildcard expressions, but for different purposes.
In regular expressions, * represents the character before the symbol. For
example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com.
In this case, the symbol * represents i appearing any number of times.
The web content filter scans the content of every webpage that is accepted by a firewall policy.
The system administrator can specify banned words and phrases and attach a numerical value (or
score) to the importance of those words and phrases. When the web content filter scan detects
banned content, it adds the scores of banned words and phrases found on that page. If the sum is
higher than a threshold set in the web filter profile, the FortiGate blocks the page.
The default score for web content filter is 10 and the default threshold is 10. This means that by
default, a webpage is blocked by a single match.
Banned words or phrases are evaluated according to the following rules:
• The score for each word or phrase is counted only once, even if that word or phrase
appears many times in the webpage.
• The score for any word in a phrase without quotation marks is counted.
• The score for a phrase in quotation marks is counted only if it appears exactly as written.
The following table is an example of how rules are applied to the webpage contents. For example,
a webpage contains only this sentence:
The score for each word or phrase is counted only once, even if that word or phrase appears many
times in the webpage.
Banned Assigned Score added Threshold Comment

pattern score to the sum score
for the entire
page
word 20 20 20 Appears twice but is only counted once. The

webpage is blocked.
word 20 40 20 Each word appears twice but is only counted

phrase once, giving a total score of 40. The webpage
is blocked.
word 20 20 20 word appears twice and sentence does not

sentence appear, but since any word in a phrase
without quotation marks is counted, the score
for this pattern is 20. The webpage is
blocked.
"word 20 0 20 This phrase does not appear exactly as

sentence" written. The webpage is allowed.
"word or 20 20 20 This phrase appears twice but is only counted

phrase" once. The webpage is blocked.
To configure a web content filter in the GUI:

2. In the Static URL Filter section, enable Content Filter.
3. In the table, click Create New. The New Web Content Filter pane opens.
Pattern Type Regular Expression

Pattern fortinet
Language Western
Action Block
Status Enable

7. Click OK.
To verify the content filter:

1. Go to a website with the word fortinet, such as www.fortinet.com.
The website is blocked and a replacement page displays:

• Allow websites when a rating error occurs
• Rate URLs by domain and IP address
Allow websites when a rating error occurs

If you do not have a FortiGuard license, but you have enabled services that need a FortiGuard
license (such as FortiGuard filter), then you will get a rating error message.
Use this setting to allow access to websites that return a rating error from the FortiGuard Web
Filter service.
To allow websites with rating errors in the GUI:

2. In the Rating Options section, enable Allow websites when a rating error occurs.
3. Click OK.
Rate URLs by domain and IP address

If you enable this setting, in addition to only sending domain information to FortiGuard for rating,
the FortiGate always sends both the URL domain name and the TCP/IP packet's IP address (except
for private IP addresses) to FortiGuard for the rating.
The FortiGuard server might return a different category of IP address and URL domain. If they are
different, the FortiGate uses the rating weight of the IP address or domain name to determine the
rating result and decision. This rating weight is hard-coded in FortiOS.
For example, if we use a spoof IP of Google as www.irs.gov, the FortiGate will send both the IP
address and domain name to FortiGuard to get the rating. We get two different ratings: one is the
search engine and portals that belong to the Google IP, the second is the government and legal
organizations that belongs to www.irs.gov. Because the search engine and portals rating has a
higher weight than government and legal organizations, the traffic is rated as search engine and
portals.
To rate URLs by domain and IP address in the GUI:

2. In the Rating Options section, enable Rate URLs by domain and IP address.
3. Click OK.

• Restrict Google account usage to specific domains
• HTTP POST action
• Remove Java applets, ActiveX, and cookies
These advanced filters are only available in proxy-based inspection

mode.
Restrict Google account usage to specific domains

Use this setting to block access to certain Google accounts and services, while allowing access to
accounts with domains in the exception list.
To enable Google account restriction:

2. In the Proxy Options section, enable Restrict Google account usage to specific domains.
3. Click the + and enter the domains that Google can access, such as www.fortinet.com.
4. Click OK.
When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com
can go through. Traffic from other domains is blocked.
HTTP POST action

Use this setting to select the action to take with HTTP POST traffic. HTTP POST is the command
used by the browser when you send information, such as a completed form or a file you are
uploading to a web server. The action options are allow or block. The default is allow.
To configure HTTP POST in the GUI:

2. In the Proxy Options section, for HTTP POST Action, select Allow or Block.
3. Click OK.
Remove Java applets, ActiveX, and cookies

Web filter profiles have settings to filter Java applets, ActiveX, and cookies from web traffic. Note
that if these filters are enabled, websites using Java applets, ActiveX, and cookies might not
function properly.
To enable these filters in the GUI:

and go to the Proxy Options section.
2. In the Proxy Options section, enabled the filters you want to use: Remove Java
Applets, Remove ActiveX, or Remove Cookies.
If you consider that a particular URL does not have the correct category, you can ask to reevaluate
the rating in the Fortinet URL Rating Submission website. You can also override a web rating for
an exceptional URL in the FortiGate configuration.
Remember that changing categories does not automatically result in a different action for the
website. This depends on the settings within the web filter profile.
So, with these different features, what is the inspection order?

If you have enabled many of them, the inspection order flows as follows:
1. The local static URL filter
2. FortiGuard category filtering (to determine a rating)
3. Advanced filters (such as safe search or removing Active X components)
For each step, if there is no match, FortiGate moves on to the next check enabled.
Category-based filtering requires a live connection to FortiGuard.

Your local FortiGate connects to remote FortiGuard servers to get updates to FortiGuard
information, such as new viruses that may have been found or other new threats.
The default setting to reach FortiGuard is anycast. However, FortiGate can be configured to use
unicast server.
You can verify the connection to FortiGuard servers by running the diagnose debug rating CLI
command. This command displays a list of FortiGuard servers you can connect to, as well as the
following information:
• Weight: It is based on the difference in time zones between FortiGate and this server to reduce
the possibility of using a remote server.
The weight for each server increases with failed packets and decreases with successful packets.
To lower the possibility of using a remote server, the weight isn't allowed to dip below a base
weight. The base weight is calculated as the difference in hours between the FortiGate and the
server multiplied by 10. The farther away the server is, the higher its base weight is and the lower
it appears in the list.
So:
FortiGate uses the following method to select the server to send the rating requests to:
• FortiGate initially uses the delta between the server time zone and the FortiGate system time
zone, multiplied by 10.
➢ This is the initial weight of the server. To lower the possibility of using a remote
server, the weight is not allowed to drop below the initial weight.
• The weight increases with each packet lost.
• The weight decreases over time if there are no packets lost.
• FortiGate uses the server with the lowest weight as the one for the rating queries. If two or
more servers have the same weight, FortiGate uses the server with the lowest round-trip time
(RTT).
• RTT: Return trip time
• TZ: Server time zone
• FortiGuard-requests: The number of requests sent by FortiGate to FortiGuard
• Curr Lost: Current number of consecutive lost FortiGuard requests (in a row, it resets to 0 when
one packet succeeds)
• Total Lost: Total number of lost FortiGuard requests. The historical total number of queries
without reply—these values reset when the device restarts.
• Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
Flag Description
D The server was found through the DNS lookup of the hostname.
If the hostname returns more than one IP address, all of them are flagged with D and are used first for
INIT requests before falling back to the other servers.
I The server to which the last INIT request was sent
F The server hasn't responded to requests and is considered to have failed
T The server is currently being timed
S Rating requests can be sent to the server.

The flag is set for a server only in two cases:
• The server exists in the servers list received from the FortiManager or any other INIT server.
• The server list received from the FortiManager is empty so the FortiManager is the only server
that the FortiGate knows and it should be used as the rating server.
The list is of variable length depending on the FortiGuard Distribution Network and the FortiGate
configuration.
Sorting the server list

The server list is sorted first by weight. The server with the smallest RTT appears at the top of the
list, regardless of weight. When a packet is lost (there has been no response in 2 seconds), it is re-
sent to the next server in the list. Therefore, the top position in the list is selected based on RTT,
while the other positions are based on weight.
By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering
with FortiGuard or FortiManager. (When anycast is enabled, which it is by default, the protocol is
HTTPS and the port is 443)
• When the fortiguard-anycast command is enable, the FortiGuard domain name
resolves to a single anycast IP address, which is the only entry in the list of FortiGuard
servers.
• By disabling the FortiGuard anycast setting on the CLI, other ports and protocols are
available. These ports and protocols query the servers (FortiGuard or FortiManager) on
HTTPS port 53 and port 8888, UDP port 443, port 53, and port 8888. If you are using UDP
port 53, any kind of inspection reveals that this traffic is not DNS and prevents the service
from working. In this case, you can switch to the alternate UDP port 443 or port 8888, or
change the protocol to HTTPS, but these ports are not guaranteed to be open in all
networks, so you must check beforehand.
• In many cases, ISPs cause problems related to FortiGuard. Some ISPs block traffic that is not
DNS or that contains large packets on port 53. In those cases, the solution is to switch
FortiGuard traffic from port 53 to port 8888.
• Other ISPs (or upstream firewalls) block traffic to port 8888. In those cases, the solution is to
use port 53.
• When anycast is enabled, which it is by default, the protocol is HTTPS and the port is 443.
• There are also a few cases where ISPs block traffic based on source ports. Changing the source
port range for FortiGuard to the range shown on this slide usually fixes the issue.
Web Filter cache

Important
If the number of FortiGuard requests is too high, you can also enable Web Filter cache.
Once enabled, FortiGate maintains a list of recent website rating responses in memory. So, if the
URL is already known, FortiGate doesn’t send back a rating request. Caching responses reduces
the amount of time it takes to establish a rating for a website. Also, memory lookup is much
quicker than packets travelling on the internet.
To list the contents of the FortiGuard web filtering cache, use the diagnose webfilter
fortiguard cache dump command. For each URL, the output lists its rating by domain
name and IP address.
• The rating by domain name is the first two digits of the first number from left to right—it
is the category ID represented in hexadecimal.
• The rating by IP address is the first two digits of the second number—it is also the
category ID represented in hexadecimal.
The get webfilter categories command lists all the categories with their respective ID
numbers. In this list, the IDs are represented in decimal. So, if you want to find the category name
for a URL in the cache, use the first command to list the cache, and then convert the ID number
from hexadecimal to decimal. Then, use the second command to find the category name for that
ID number.
What if you have a live connection to FortiGuard and configured your security profiles, but they
are not performing web inspection?
Most of the time, issues are caused by misconfiguration on the device. You can verify them as
follows:
• Make sure that the SSL Inspection field includes at least one profile with an SSL certification
inspection method.
• Make sure that the correct web filter profile is applied on the firewall policy.
• Verify the inspection mode setting with the feature set in the corresponding web filter profile.
Here are some tips for troubleshooting web filtering:

• Get the specifics first:
➢ Which URLs are having the problem?
➢ Is it random?
➢ Does it happen with all users?
• Check the logs.
• Is the problem caused by an incorrect user group configuration? Are the user access privileges
correct?
• Run the real-time debug while reproducing the issue.
Additional tips:
• Check that web filtering isn't disabled globally.
• If users are having intermittent issues:
➢ Check that the communication with FortiGuard is stable (check the web filtering statistics).
➢ Check also that the device is not entering conserve mode.
Similar to other UTM features, one of the best troubleshooting tools for web filtering is the
FortiGate logs. FortiGate can generate a log each time a website is blocked. The log lists the URL,
category, action taken, and so on.
To confirm the correct configuration and web filtering behavior, you can view the web filter logs.
This slide shows an example of a log message. Access details include information about the
FortiGuard quota and category (if those are enabled), which web filter profile was used to inspect
the traffic, the URL, and more details about the event.
You can also view the raw log data by clicking the download icon at the top of the GUI. The file
downloaded is a plain text file in a syslog format.
LAB
Web Filtering
In this lab, you will configure one of the most used security profiles on FortiGate: web filter. This
includes configuring FortiGuard category-based and static URL filters, applying the web filter
profile in a firewall policy, testing the configuration, and performing basic troubleshooting.
Objectives
• Configure web filtering on FortiGate
• Apply the FortiGuard category-based option for web filtering
• Apply the static URL option for web filtering
• Troubleshoot the web filter
• Read and interpret web filter log entries
We have two LABs:
Lab 1: Configuring FortiGuard Web Filtering

Lab 2: Configuring Static URL Filtering
LAB Topology:
To configure FortiGate for web filtering based on FortiGuard categories, you must make sure that
FortiGate has a valid FortiGuard security subscription license. The license provides the web
filtering capabilities necessary to protect against inappropriate websites.
Then, you must configure a category-based web filter security profile on FortiGate, and apply the
security profile in a firewall policy to inspect the HTTP traffic.
Finally, you can test different actions that FortiGate has taken, according to the website rating.
Review the FortiGate Settings

You will review the inspection mode and license status according to the uploaded settings. You
will also list the FortiGuard Distribution Servers (FDS) that FortiGate uses to send the web filtering
requests.
To review the restored settings on FortiGate

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. On the Dashboard, locate the Licenses widget, and then hover over Web Filter to confirm that the service
is licensed and active.
You should see information similar to the following example:

Because of the reboot following the restoration of the configuration file, the web filter license
status may be Unavailable. In this case, navigate to System > FortiGuard. In
the Filtering section, click Test Connectivity to force an update, and then click OK to confirm.
You can confirm, at the same time, that Web Filter cache is enabled.
3. Click Policy & Objects > Firewall Policy.
4. Double-click the Full_Access policy to edit it.
5. Verify the Inspection Mode setting.
Notice that the default inspection mode is set to Flow-based.

6. In the Inspection Mode field, select Proxy-based.
7. Click OK.
Determine Web Filter Categories

To configure web filter categories, you must first identify how FortiGuard Web Filtering
categorizes specific websites.
To determine web filter categories

1. On the Local-Client VM, open a new browser tab, and then go
to https://www.fortiguard.com/webfilter.
2. Use the Web Filter Lookup tool to search for the following URL:
www.facebook.com
This is one of the websites you will use later to test your web filter.
As you can see, Facebook is listed in the Social Networking category.
3. Use the Web Filter Lookup tool again to find the web filter category for the following websites:
• www.skype.com
• www.ask.com
• www.bing.com
You will test your web filter using these websites also.
The following table shows the category assigned to each URL, as well as the action you will
configure FortiGate to take based on your web filter security profile:
Website Category Action

www.facebook.com Social Networking Block
www.skype.com Internet Telephony Warning
www.bing.com Search Engines and Portals Allow
www.ask.com Search Engines and Portals Allow
Configure a FortiGuard Category-Based Web Filter

You will review the default web filtering profile, and then configure the FortiGuard category-
based filter.
To configure the web filter security profile

1. Return to the Local-FortiGate GUI, and then click Security Profiles > Web Filter.
2. Double-click the default web filter profile to edit it.
3. Verify that FortiGuard Category Based Filter is enabled.
You can click + to expand a category or - to collapse a category.

4. Review the default actions for each category.
Category Action
Local Categories Disable
Potentially Liable Block: Extremist Group
Allow: all other subcategories
Tip: Expand Potentially Liable to view the subcategories.

Adult/Mature Content Block
Bandwidth Consuming Allow
Security Risk Block
General Interest - Personal Allow
General Interest - Business Allow
Unrated Block
5. Expand General Interest - Personal to view the subcategories.
6. Right-click Social Networking, and then select Block.
7. Expand Bandwidth Consuming to view the subcategories.
8. Right-click Internet Telephony, and then select Warning.

The Edit Filter window opens, which allows you to modify the warning interval.
9. Keep the default setting of 5 minutes, and then click OK.
10. Click OK.

Apply the Web Filter Profile to a Firewall Policy

Now that you have configured the web filter profile, you must apply this security profile to a
firewall policy in order to start inspecting web traffic.
You will also enable the logs to store and analyze the security events that the web traffic
generates.
Take the Expert Challenge!
On the Local-FortiGate GUI, apply the web filter profile to the

existing Full_Access firewall policy. Make sure that logging is also
enabled and set to Security Events.
If you require assistance, or to verify your work, use the step-by-

step instructions that follow.
To apply a security profile in a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
3. In the Security Profiles section, enable Web Filter, and then select default.
4. Hover over the warning sign that appears beside the SSL Inspection field.
The message should be similar to the following example:

5. In the SSL Inspection field, select certification-inspection.
Because web filtering requires URL information and does not inspect the
full payload, you can select certification-inspection instead of deep-
inspection.
6. Under Log Allowed Traffic, make sure that Security Events is selected.
7. Keep all other default settings, and then click OK.
Test the Web Filter

You will test the web filter security profile you configured for each category.
To test the web filter

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following command to verify the web filter status:
get webfilter status

The get webfilter status and diagnose debug rating commands show the list of FDS
that FortiGate uses to send web filtering requests. In normal operations, FortiGate sends the
rating requests only to the server at the top of the list. Each server is probed for round-trip time
(RTT) every 2 minutes.
Stop and think!
Why does only one IP address from your network appear in the server list?
Your lab environment uses a FortiManager at 10.0.1.241, which is configured as a local FDS.
It contains a local copy of the FDS web rating database.
FortiGate sends the rating requests to FortiManager instead of to the public FDS. For this
reason, the output of the command lists the FortiManager IP address only.
3. On the Local-Client VM, open a new browser tab, and then go to www.facebook.com.
A warning appears, according to the predefined action for this website category.
4. Open a new browser tab, and then go to www.skype.com.
A warning appears, according to the predefined action for this website category.
5. Click Proceed to accept the warning and access the website.
6. Open a new browser tab, and then go to www.bing.com.
This website appears because it belongs to the Search Engines and Portals category, which is set
to Allow.
7. Close the Local-Client VM browser tabs.

Create a Web Rating Override

You will override the category for www.bing.com.
To create a web rating override

1. Return to the Local-FortiGate GUI, and then click Security Profiles > Web Rating Overrides.
2. Click Create New, and then configure the following settings:
Field Value
URL www.bing.com
Category Security Risk
Sub-Category Malicious Websites
3. Click OK.
Test the Web Rating Override

You will test the web rating override you created in the previous procedure.
To test the web rating override

1. On the Local-Client VM, open a new browser tab, and then try to access
the www.bing.com website again.
The website is blocked, and it matches a local rating instead of a FortiGuard rating.
Stop and think!
Why is the website www.bing.com blocked?
The web rating override changes the category. In the default web profile applied in
the firewall policy, the Malicious Websites category is set to Block. As a consequence,
the website www.bing.com is now blocked.
Configure an Authenticate Action

You will set the action for the Malicious Websites FortiGuard category to Authenticate. You will
then define a user in order to test the authenticate action.
To set up the authenticate action

1. Continuing on the Local-FortiGate GUI, click Security Profiles > Web Filter.
3. Under FortiGuard Category Based Filter, expand Security Risk, right-click Malicious Websites,
and then select Authenticate.
The Edit Filter window opens, which allows you to modify the warning interval and select the user
groups.
Field Value
Warning Interval 5 minutes
Selected User Groups Override_Permissions
5. Click OK.
6. Click OK.
For the purpose of this lab, Override_Permissions is a predefined user group. To

review the user groups, click User & Authentication > User Groups.
To create a user
1. Continuing on the Local-FortiGate GUI, click User & Authentication > User Definition.
3. In the User Type field, select Local User.
4. Click Next, and then configure the following settings:
Field Value
Username student
Password fortinet
5. Click Next.
6. Click Next.
7. Enable User Group, and then select Override_Permissions.
8. Click Submit.
The student user is created.
To test the web rating override

1. On the Local-Client VM, open a new browser tab, and then try to access www.bing.com.
A warning appears. Notice that it is a different message from the one that appeared before.
2. Click Proceed.
You might receive a certificate warning at this stage. This is normal and is the result of using a
self-signed certificate. Accept the warning message to proceed with the remainder of the
procedure (click Advanced, and then click Accept the Risk and Continue).
3. Enter the following credentials:
Field Value
Username student
Password fortinet
4. Click Continue.
The www.bing.com website now displays correctly.

In this exercise, you will configure a static URL filter and apply the security profile to a firewall
policy in flow-based inspection mode. You will then review the web filter logs.
Set Up the Static URL Filter in Flow-Based Inspection Mode

You will create a static URL filter entry and change the inspection mode to flow-based.
To create a static URL filter

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and
password password.
2. Click Security Profiles > Web Filter.
4. In the Static URL Filter section, enable URL Filter.

5. Click Create New, and then configure the following settings:
Field Value
URL www.bing.com
Type Simple
Action Block
Status Enable
6. Click OK.
Your configuration should match the following example:
7. Click OK.
To change the inspection mode to flow-based

1. Continuing on the Local-FortiGate GUI, click Security Profiles > Web Filter.
3. In the Feature set field, select Flow-based.
4. Click OK.
5. Click Policy & Objects > Firewall Policy.
7. In the Inspection Mode field, select Flow-based.
8. Click OK.
To test the static URL filter

1. On the Local-Client VM, open a new browser tab, and then try to access www.bing.com.
A warning appears. Notice that it is a different message from the one that appeared before.
Stop and think!

Why is the replacement message different?
FortiGate applies the static URL filter before the FortiGuard category filter.
The www.bing.com URL matches the URL filter pattern and therefore is now blocked, and
FortiGate displays the corresponding URL filter message.
To review the web filter logs

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and then
click Log & Report > Security Events.
2. Under Summary, click Web Filter.

Stop and think!

Why is the first log entry for the www.bing.com website defined as blocked?
Initially, the www.bing.com website has the category Search Engines and Portals, which was set
to Allow and does not generate a security log.
To allow a website and generate a security log at the same time, you must set the category to Monitor.
Then, according to the logs, http://www.bing.com is blocked, but after you clicked Proceed and
authenticated, the logs show a different action: passthrough.
Remember that you overrode the Search Engines and Portals category to Malicious Websites, which was
set to Block, and then to Authenticate.
3. Double-click a log entry with an empty category.

Stop and think!

Why is the category field empty?
Because the website is blocked by the static URL filter, FortiGuard does not apply the FortiGuard
web rating, and does not provide the category.

Mastering WebFiltering in FortiGate Firewall Configuration 1717349652

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mastering WebFiltering in FortiGate Firewall Configuration 1717349652

Uploaded by

Copyright:

Available Formats

1|Page|Mani Pahlavanzadeh

After completing this document, you will be able to achieve these

• HTTP Inspection Order

• LAB-1: Configuring FortiGuard Web Filtering

• LAB-2: Configuring Static URL Filtering

Why do organizations, and people in general, use web filtering?

Some features of this functionality require a subscription to FortiGuard Web

You can configure web filtering in 2 ways:

Flow-based inspection mode

The advantages of flow-based inspection mode are:

The disadvantages of flow-based inspection mode are:

Proxy-based inspection mode

Configure SSL Certificate Inspection

4. Select the action for Server certificate SNI check.

FortiOS includes three preloaded web filter profiles:

To configure a web filter profile:

Comments (Optional) Enter a comment.

Profile Name Select what web filter profiles can be overridden.

Restrict YouTube Access Enable to filter out potentially mature videos.

Static URL Filter

Remove Cookies Enable to remove cookies from web traffic.

I want to explain these options in detail.

To review the complete list of categories and subcategories, visit:

To search for the category for a specific URL, visit:

The following actions are available:

Allow Permit access to the sites in the category.

Disable Remove the category from the web filter profile.

Web Filter FortiGuard Category Action

3. Configure the remaining settings as needed.

To verify that the category is blocked:

To view the log of a blocked website in the GUI:

Web Filter FortiGuard Category Action

Category Usage Quota

In Proxy-Based mode, you can also configure a usage quota.

To configure a quota in the GUI:

5. In the Category Usage Quota section, click Create New.

6. In the Category field, select Education.

8. Click OK. The entry appears in the table.

9. Configure the other settings as needed.

To verify the quota usage:

Web Filter FortiGuard Category Action

Issuing a warning on a web category

To configure a warning for a category in the GUI:

4. Configure the remaining settings as needed.

To verify that the warning works:

Web Filter FortiGuard Category Action

Authenticating a web category

To authenticate a category in the GUI:

4. Configure the remaining settings as needed.

To verify that you have configured authentication:

Customizing the replacement message page

To customize the replacement message page:

Replacement message groups

utm Used with UTM settings in firewall policies. Admin/ alertmail/

auth Used with authentication pages in firewall policies. • auth

To make replacement message groups visible in the GUI:

To create replacement message groups in the GUI:

2. Customize the replacement messages in the newutm group:

4. Edit the message and click Save.

The following profile override methods are available:

When you enter an IP address in the administrative override

Differences between IP and identity-based scope

Configuring a web profile administrative override

To configure web profile administrative override using the GUI: