Professional Documents
Culture Documents
Mastering WebFiltering in FortiGate Firewall Configuration 1717349652
Mastering WebFiltering in FortiGate Firewall Configuration 1717349652
Mastering
Web Filtering Configuration
in FortiGate
Mani Pahlavanzadeh
mani.pahlavan@gmail.com
ManiPahlavanzadeh
2|Page|Mani Pahlavanzadeh
There are many reasons why network administrators would apply web filtering:
• To limit access to distracting web sites, such as social networking sites, to keep their employees
focused on work and maintain productivity.
• To prevent network congestion by making sure users do not use valuable bandwidth for non-
business purposes, such as streaming a video.
• To decrease exposure to web-based threats by limiting access to potentially harmful websites.
• To limit liability, if employees attempt to download inappropriate or offensive material.
• To prevent users from viewing inappropriate material.
Web filtering restricts or controls user access to web resources and can be applied to firewall
policies using either policy-based or profile-based NGFW mode.
In FortiOS, there are three main components of web filtering:
• Web content filter: blocks web pages containing words or patterns that you specify.
• URL filter: uses URLs and URL patterns to block or exempt web pages from specific
sources, or block malicious URLs discovered by FortiSandbox.
• FortiGuard Web Filtering service: provides many additional categories you can use to
filter web traffic.
These components interact with each other to provide maximum control over what users on your
network can view and protect your network from many internet content threats.
Web filters are applied in the following order:
1. URL filter
2. FortiGuard Web Filtering
3. Web content filter
4. Web script filter
5. Antivirus scanning
As shown in this HTTP filter process flow example, FortiGate looks for the HTTP GET request to
collect URL information and perform web filtering.
In HTTP, the domain name and URL are separate parts. The domain name might look like the
following in the header: Host: www.acme.com, and the URL might look like the following in
the header: /index.php?login=true.
If you filter by domain, sometimes it blocks too much. For example, the blogs on tumblr.com
are considered different content, because of all the different authors. In that case, you can be
more specific, and block by the URL part, tumblr.com/hacking, for example.
In the default profile-based mode, FortiGate provides two inspection modes (flow-based and
proxy-based) to perform web filtering.
7|Page|Mani Pahlavanzadeh
For encrypted protocols, FortiGate requires additional inspection. When using SSL certificate
inspection (Not SSL Deep-Inspection), FortiGate doesn’t decrypt or inspect any encrypted traffic.
Using this method, FortiGate inspects only the initial unencrypted SSL handshake.
• If the SNI (Server Name Identification) field exists, FortiGate uses it to obtain the FQDN to
rate the site.
• If the SNI isn’t present, FortiGate retrieves the FQDN from the CN field of the server
certificate.
• In some cases, the CN server name might not match the requested FQDN. For example, the
value of the CN field in the digital certificate of youtube.com is google.com. So, if you
connect to youtube.com from a browser that doesn’t support SNI, and FortiGate uses the
SSL certificate inspection method, FortiGate assumes, incorrectly, that you are connecting
to google.com, and uses the google.com category instead of the category for youtube.com
SSL certificate inspection works correctly with web filtering, because the full payload
does not need to be inspected.
10 | P a g e | M a n i P a h l a v a n z a d e h
• FortiGate has a read-only preconfigured profile for SSL certificate inspection named
certificate-inspection. If you want to enable SSL certificate inspection, select this profile
when configuring a firewall policy.
• Alternatively, you can create your own profile for SSL certificate inspection by following
these steps:
1. On the FortiGate GUI, click Security Profiles, and then click SSL/SSH Inspection.
2. Click Create New to create a new SSL/SSH inspection profile.
3. Select Multiple Clients Connecting to Multiple Servers, and then click SSL Certificate
Inspection.
The feature set setting (proxy or flow) in the web filter profile must match the
inspection mode setting (proxy or flow) in the associated firewall policy. For example,
a flow-based web filter profile must be used with a flow-based firewall policy.
An SSL inspection profile (such as the certificate-inspection profile) and a web filter
profile must both be selected in the associated firewall policy.
Some web filter profile options can only be configured in the CLI.
12 | P a g e | M a n i P a h l a v a n z a d e h
Flow Based
Flow-based inspection has fewer available options than Proxy-based inspection mode.
After you configure your web filter profile, you can apply this profile to the firewall policy
configured to use flow-based inspection mode, so the filtering is applied to your web traffic.
13 | P a g e | M a n i P a h l a v a n z a d e h
Proxy Based
In the example shown on this slide, the security profile is configured to use a proxy-based feature
set. It provides features specific to proxy-based configuration.
After you configure your web filter profile, you can apply this profile to the firewall policy
configured to use proxy-based inspection mode, so the filtering is applied to your web traffic.
14 | P a g e | M a n i P a h l a v a n z a d e h
Feature set Select the feature set for the profile. The feature set mode must match the
inspection mode used in the associated firewall policy.
• Flow-based
• Proxy-based
Additional options are available in proxy-based mode and are identified in the
GUI with a P icon.
If the Feature set option is not visible, enter the following in the CLI:
config system settings
set gui-proxy-inspection enable
end
FortiGuard Category Enable to use the category-based filters from FortiGuard. A default action is
Based Filter assigned to each category, and you can change the action.
Category Usage Quota This option is available in proxy-based mode and can be applied to categories
set to Monitor, Warning, and Authenticate.
Allow users to override Enable to allow certain users or user groups to override websites blocked by
blocked categories web filtering profiles for a specified length of time.
Groups that can override Select one or more user groups that can override blocked websites. The user
group must be specified as the Source in the firewall policies using this profile.
Switch applies to Specify whether the override applies to a User, User Group, or IP address.
Alternately select Ask to prompt the user to log in to access the web page.
Switch duration Select Predefined to specify how many days, hours, and minutes to allow the
override. Select Ask to prompt the user to specify how long to allow the
override.
Search Engines
Enfore 'Safe Search' on Enable to prevent explicit websites and images from appearing in search results.
Google, Yahoo!, Bing,
Yandex
15 | P a g e | M a n i P a h l a v a n z a d e h
Log all search keywords This option is available in proxy-based mode. Enable to log all search phrases.
Block invalid URLs Enable to block websites when their SSL certificate CN field lacks a valid domain
name.
URL Filter Enable to specify URL patterns and an action for FortiGate to take when
matching URL patterns are found in traffic.
Block malicious URLs Enable to block malicious URLs found by FortiSandbox. Requires FortiGate to be
discovered by connected to a registered FortiSandbox.
FortiSandbox
Content Filter Enable to specify word or patterns to be used to identify and control access to
web pages.
Rating Options
Allow websites when a Enable to allow access to websites that return a rating error from the FortiGuard
rating error occurs Web Filter service.
Rate URLs by domain Enable for FortiGate to always send both the URL domain name and the TCP/IP
and IP address packet's IP address (except for private IP addresses) to FortiGuard for rating.
Proxy Options
Restrict Google account This option is available in proxy-based mode. Enable to block access to certain
usage to specific Google accounts and services.
domains
HTTP POST Action Enable to specify how to handle HTTP POST traffic.
Remove Java Applets This option is available in proxy-based mode. Enable to remove Java applets
from web traffic.
Remove ActiveX This option is available in proxy-based mode. Enable to remove ActiveX from
web traffic.
3. Click OK.
For web filtering, FortiGate can use FortiGuard category filters to control web access. FortiGuard
categories are derived from the FortiGuard web filtering service.
The service includes the FortiGuard URL Categories Database, which sorts billions of web pages
into a wide range of rating categories.
https://www.fortiguard.com/webfilter/categories
Each category contains websites or web pages that have been assigned based on their dominant
web content. These categories can, in turn, be blocked or allowed according to their content. The
database categorizes web content based on its viewing suitability for three major groups of
consumers: enterprises, schools, and home and families.
For example, Twitter is categorized as part of the General Interest - Personal category. While
Dropbox is categorized as part of the Bandwidth Consuming category.
Note that, categories can be further divided into subcategories. The General Interest - Personal
category includes subcategories such as Social Networking, News and Media. While the
Bandwidth Consuming category includes subcategories such as File Sharing and Storage,
Internet Telephony, and Streaming Media and Download.
17 | P a g e | M a n i P a h l a v a n z a d e h
Website categories are determined by both automated and human methods. The FortiGuard
team has automatic web crawlers that look at various aspects of the website in order to come up
with a rating. There are also people who examine websites and look into rating requests to
determine categories.
The www.fortiguard.com website includes a Web Filtering service. This service is designed to
assist you to identify the category and rating of a URL.
Using the information that the FortiGuard Web Filtering service provides you can gain insights
into the content and reputation of URLs.
This service is useful to analyze whether the category-based filter in the web filter profile is
allowing or blocking a specific URL as expected.
19 | P a g e | M a n i P a h l a v a n z a d e h
In the web filter profile, Fortiguard category filtering enhances the web filter features. Rather
than block or allow websites individually, it looks at the category that a website has been rated
with. Then, FortiGate takes action based on that category, not based on the URL.
The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply
to more than two billion pages.
When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a
request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent
to the nearest FortiGuard server. The URL category or rating is returned.
• If the category is blocked, the FortiGate shows a replacement message in place of the
requested page.
• If the category is not blocked, the page request is sent to the requested URL as normal.
FortiGuard category filtering is a live service that requires an active contract. The contract
validates connections to the FortiGuard network. If the contract expires, there is a two-day grace
period during which you can renew the contract before the service ends. If you do not renew,
after the two-day grace period, FortiGate reports a rating error for every rating request made. In
addition, by default, FortiGate blocks web pages that return a rating error. You can change this
behavior by enabling the Allow websites when a rating error occurs setting.
Security Profiles > Web Filter > Rating Options > Allow websites when a rating error occurs
20 | P a g e | M a n i P a h l a v a n z a d e h
You can configure FortiManager to act as a local FortiGuard server. To do this, you must
download the databases to FortiManager, and configure FortiGate to validate the categories
against FortiManager, instead of FortiGuard.
You can enable the FortiGuard category filtering on the web filter profile. Categories are listed,
and you can customize the actions to perform individually. In the default profile-based mode, the
actions available are Allow, Monitor, Block, Warning, and Authenticate.
Monitor Permit and log access to sites in the category. User quotas can be enabled for this
option.
Block Prevent access to the sites in the category. Users trying to access a blocked site see a
replacement message indicating the site is blocked.
Warning Display a message to the user allowing them to continue if they choose.
Authenticate Require the user to authenticate with the FortiGate before allowing access to the
category or category group.
Besides the Allow and Block actions, which respectively permit and block access to the sites, the
Monitor action allows access to the sites in the category and logs it at the same time.
In proxy-based mode, you can also configure a usage quota.
Configuring a quota
The following example shows how to set a time quota for the education category (category 30).
3. When the quota reaches its limit, traffic is blocked and the replacement page displays.
27 | P a g e | M a n i P a h l a v a n z a d e h
You can customize the warning replacement message. By default, it provides information of the
URL and its corresponding category. With this information, the user can click Proceed to override
the internet usage policy.
28 | P a g e | M a n i P a h l a v a n z a d e h
3. Enter the username and password for the configured user group, then click Continue.
32 | P a g e | M a n i P a h l a v a n z a d e h
The messages added to a group do not need to be customized. The message body content,
header type, and format will use the default values if not customized.
Administrative override
Administrators can grant temporary access to sites that are otherwise blocked by a web filter
profile. You can grant temporary access to a user, user group, or source IP address. You can set
the time limit by selecting a date and time. The default is 15 minutes.
When the administrative web profile override is enabled, a blocked access page or replacement
message does not appear, and authentication is not required.
Scope range
You can choose one of the following scope ranges:
• User: authentication for permission to override is based on whether or not the user is using
a specific user account.
• User group: authentication for permission to override is based on whether or not the user
account supplied as a credential is a member of the specified user group.
• Source IP: authentication for permission to override is based on the IP address of the
computer that was used to authenticate. This would be used for computers that have
multiple users. For example, if a user logs on to the computer, engages the override by
using their credentials, and then logs off, anyone who logs on with an account on that
computer would be using the alternate override web filter profile.
3. Click OK.
37 | P a g e | M a n i P a h l a v a n z a d e h
When you choose the user group scope, once one user overrides, it will affect the other users in
the group when they attempt to override. For example, user1 and user2 both belong to the
local_user group. Once user1 successfully overrides, this will generate an override entry for the
local_user group instead of one specific user. This means that if user2 logs in from another PC,
they can override transparently.
Other features
Besides the scope, there are some other features in Allow users to override blocked categories.
38 | P a g e | M a n i P a h l a v a n z a d e h
Switch duration
Administrative override sets a specified time frame that is always used for that override. The
available options are:
• Predefined: the value entered is the set duration (length of time in days, hours, or
minutes) that the override will be in effect. If the duration variable is set to 15 minutes,
the length of the override will always be 15 minutes. The option will be visible in the
override message page, but the setting will be grayed out.
• Ask: the user has the option to set the override duration once it is engaged. The user can
set the duration in terms of days, hours, or minutes.
When the ask option is enabled (through the Switch applies to field in the GUI),
the Scope dropdown is editable. Users can choose one of the following:
• User
• User group
• IP
User and User Group are only available when there is a user group in the firewall
policy. You must specify a user group as a source in the firewall policy so the scope
includes User and User Group; otherwise, only the IP option will be available.
41 | P a g e | M a n i P a h l a v a n z a d e h
Safe search
This setting applies to popular search sites and prevents explicit websites and images from
appearing in search results.
Although Safe Search is a useful tool, especially in educational environments, the resourceful user
may be able to simply turn it off. Enabling Safe Search for the supported search sites enforces its
use by rewriting the search URL to include the code to indicate the use of the Safe Search feature.
For example, on a Google search it would mean adding the string “&safe=active” to the URL in the
search.
The safe search feature is not supported in flow inspection mode.
The supported search sites are:
• Google
• Yahoo
• Bing
• Yandex
3. Click OK.
42 | P a g e | M a n i P a h l a v a n z a d e h
When safe-search is set to header in the CLI, the Restrict YouTube Access option is
visible in the GUI.
3. Enable Restrict YouTube Access and select either Strict or Moderate.
4. Click OK.
It is recommended to set safe-search to url and header because some search engines,
such as Google, use the URL, and other search engines, such as Bing, use the header.
When you enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex in the
GUI, safe-search is set to url header in the CLI.
3. Click OK.
46 | P a g e | M a n i P a h l a v a n z a d e h
URL Filter
Static URL filtering is another web filter feature, which provides more granularity. Configured
URLs in the URL filter are checked from top to bottom against the visited websites. If FortiGate
finds a match, it applies the configured action.
Once a URL filter is configured, it can be applied to a firewall policy.
Simple The FortiGate tries to strictly match the full context. For example, if you
enter www.facebook.com in the URL field, it only matches traffic
with www.facebook.com. It won't match facebook.com or message.facebook.com.
When the FortiGate finds a match, it performs the selected URL action.
A simple URL Filter entry must be in the format of a standard URL, and they can
include sub-domains and paths.
- Examples include: 'fortinet.com', 'fortinet.com/support', 'support.fortinet.com',
'net.com', etc.
Regular The FortiGate tries to match the pattern based on the rules of regular expressions or
expression/ wildcards. For example, if you enter *fa* in the URL field, it matches all the content
wildcard that has fa such as www.facebook.com, message.facebook.com, fast.com, and so on.
When the FortiGate finds a match, it performs the selected URL action.
47 | P a g e | M a n i P a h l a v a n z a d e h
Exempt The traffic is allowed to bypass the remaining FortiGuard web filters, web
content filters, web script filters, antivirus scanning, and DLP proxy operations.
Block The FortiGate denies or blocks attempts to access any URL that matches the
URL pattern. A replacement message is displayed.
Allow The traffic is passed to the remaining FortiGuard web filters, web content
filters, web script filters, antivirus proxy operations, and DLP proxy operations.
If the URL does not appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For
the Monitor action, a log message is generated each time a matching traffic
pattern is established.
The exempt URL filter action can be configured to bypass all or certain security profile operations. This
setting can only be configured in the CLI.
Verify the URL filter results by going to a blocked website. For example, when you go to the
Facebook website, the replacement message appears:
Wildcard Use this setting to block or exempt one word or text strings of up to 80
characters. You can also use wildcard symbols such as ? or * to represent one
or more characters. For example, a wildcard
expression forti*.com matches fortinet.com and fortiguard.com.
The * represents any character appearing any number of times.
Regular Use this setting to block or exempt patterns of regular expressions that use
expression some of the same symbols as wildcard expressions, but for different purposes.
In regular expressions, * represents the character before the symbol. For
example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com.
In this case, the symbol * represents i appearing any number of times.
The web content filter scans the content of every webpage that is accepted by a firewall policy.
The system administrator can specify banned words and phrases and attach a numerical value (or
score) to the importance of those words and phrases. When the web content filter scan detects
banned content, it adds the scores of banned words and phrases found on that page. If the sum is
higher than a threshold set in the web filter profile, the FortiGate blocks the page.
The default score for web content filter is 10 and the default threshold is 10. This means that by
default, a webpage is blocked by a single match.
Banned words or phrases are evaluated according to the following rules:
• The score for each word or phrase is counted only once, even if that word or phrase
appears many times in the webpage.
• The score for any word in a phrase without quotation marks is counted.
• The score for a phrase in quotation marks is counted only if it appears exactly as written.
52 | P a g e | M a n i P a h l a v a n z a d e h
The following table is an example of how rules are applied to the webpage contents. For example,
a webpage contains only this sentence:
The score for each word or phrase is counted only once, even if that word or phrase appears many
times in the webpage.
When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com
can go through. Traffic from other domains is blocked.
57 | P a g e | M a n i P a h l a v a n z a d e h
If you consider that a particular URL does not have the correct category, you can ask to reevaluate
the rating in the Fortinet URL Rating Submission website. You can also override a web rating for
an exceptional URL in the FortiGate configuration.
Remember that changing categories does not automatically result in a different action for the
website. This depends on the settings within the web filter profile.
59 | P a g e | M a n i P a h l a v a n z a d e h
For each step, if there is no match, FortiGate moves on to the next check enabled.
60 | P a g e | M a n i P a h l a v a n z a d e h
So:
FortiGate uses the following method to select the server to send the rating requests to:
• FortiGate initially uses the delta between the server time zone and the FortiGate system time
zone, multiplied by 10.
➢ This is the initial weight of the server. To lower the possibility of using a remote
server, the weight is not allowed to drop below the initial weight.
• The weight increases with each packet lost.
• The weight decreases over time if there are no packets lost.
• FortiGate uses the server with the lowest weight as the one for the rating queries. If two or
more servers have the same weight, FortiGate uses the server with the lowest round-trip time
(RTT).
• RTT: Return trip time
• TZ: Server time zone
• FortiGuard-requests: The number of requests sent by FortiGate to FortiGuard
• Curr Lost: Current number of consecutive lost FortiGuard requests (in a row, it resets to 0 when
one packet succeeds)
• Total Lost: Total number of lost FortiGuard requests. The historical total number of queries
without reply—these values reset when the device restarts.
• Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
Flag Description
D The server was found through the DNS lookup of the hostname.
If the hostname returns more than one IP address, all of them are flagged with D and are used first for
INIT requests before falling back to the other servers.
The list is of variable length depending on the FortiGuard Distribution Network and the FortiGate
configuration.
62 | P a g e | M a n i P a h l a v a n z a d e h
By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering
with FortiGuard or FortiManager. (When anycast is enabled, which it is by default, the protocol is
HTTPS and the port is 443)
• When the fortiguard-anycast command is enable, the FortiGuard domain name
resolves to a single anycast IP address, which is the only entry in the list of FortiGuard
servers.
• By disabling the FortiGuard anycast setting on the CLI, other ports and protocols are
available. These ports and protocols query the servers (FortiGuard or FortiManager) on
HTTPS port 53 and port 8888, UDP port 443, port 53, and port 8888. If you are using UDP
port 53, any kind of inspection reveals that this traffic is not DNS and prevents the service
from working. In this case, you can switch to the alternate UDP port 443 or port 8888, or
change the protocol to HTTPS, but these ports are not guaranteed to be open in all
networks, so you must check beforehand.
64 | P a g e | M a n i P a h l a v a n z a d e h
• In many cases, ISPs cause problems related to FortiGuard. Some ISPs block traffic that is not
DNS or that contains large packets on port 53. In those cases, the solution is to switch
FortiGuard traffic from port 53 to port 8888.
• Other ISPs (or upstream firewalls) block traffic to port 8888. In those cases, the solution is to
use port 53.
• When anycast is enabled, which it is by default, the protocol is HTTPS and the port is 443.
• There are also a few cases where ISPs block traffic based on source ports. Changing the source
port range for FortiGuard to the range shown on this slide usually fixes the issue.
To list the contents of the FortiGuard web filtering cache, use the diagnose webfilter
fortiguard cache dump command. For each URL, the output lists its rating by domain
name and IP address.
65 | P a g e | M a n i P a h l a v a n z a d e h
• The rating by domain name is the first two digits of the first number from left to right—it
is the category ID represented in hexadecimal.
• The rating by IP address is the first two digits of the second number—it is also the
category ID represented in hexadecimal.
The get webfilter categories command lists all the categories with their respective ID
numbers. In this list, the IDs are represented in decimal. So, if you want to find the category name
for a URL in the cache, use the first command to list the cache, and then convert the ID number
from hexadecimal to decimal. Then, use the second command to find the category name for that
ID number.
66 | P a g e | M a n i P a h l a v a n z a d e h
What if you have a live connection to FortiGuard and configured your security profiles, but they
are not performing web inspection?
Most of the time, issues are caused by misconfiguration on the device. You can verify them as
follows:
• Make sure that the SSL Inspection field includes at least one profile with an SSL certification
inspection method.
• Make sure that the correct web filter profile is applied on the firewall policy.
• Verify the inspection mode setting with the feature set in the corresponding web filter profile.
67 | P a g e | M a n i P a h l a v a n z a d e h
Additional tips:
• Check that web filtering isn't disabled globally.
• If users are having intermittent issues:
➢ Check that the communication with FortiGuard is stable (check the web filtering statistics).
➢ Check also that the device is not entering conserve mode.
68 | P a g e | M a n i P a h l a v a n z a d e h
Similar to other UTM features, one of the best troubleshooting tools for web filtering is the
FortiGate logs. FortiGate can generate a log each time a website is blocked. The log lists the URL,
category, action taken, and so on.
To confirm the correct configuration and web filtering behavior, you can view the web filter logs.
This slide shows an example of a log message. Access details include information about the
FortiGuard quota and category (if those are enabled), which web filter profile was used to inspect
the traffic, the URL, and more details about the event.
You can also view the raw log data by clicking the download icon at the top of the GUI. The file
downloaded is a plain text file in a syslog format.
69 | P a g e | M a n i P a h l a v a n z a d e h
70 | P a g e | M a n i P a h l a v a n z a d e h
LAB
Web Filtering
In this lab, you will configure one of the most used security profiles on FortiGate: web filter. This
includes configuring FortiGuard category-based and static URL filters, applying the web filter
profile in a firewall policy, testing the configuration, and performing basic troubleshooting.
Objectives
• Configure web filtering on FortiGate
• Apply the FortiGuard category-based option for web filtering
• Apply the static URL option for web filtering
• Troubleshoot the web filter
• Read and interpret web filter log entries
To configure FortiGate for web filtering based on FortiGuard categories, you must make sure that
FortiGate has a valid FortiGuard security subscription license. The license provides the web
filtering capabilities necessary to protect against inappropriate websites.
Then, you must configure a category-based web filter security profile on FortiGate, and apply the
security profile in a firewall policy to inspect the HTTP traffic.
Finally, you can test different actions that FortiGate has taken, according to the website rating.
Because of the reboot following the restoration of the configuration file, the web filter license
status may be Unavailable. In this case, navigate to System > FortiGuard. In
the Filtering section, click Test Connectivity to force an update, and then click OK to confirm.
You can confirm, at the same time, that Web Filter cache is enabled.
2. Use the Web Filter Lookup tool to search for the following URL:
www.facebook.com
This is one of the websites you will use later to test your web filter.
3. Use the Web Filter Lookup tool again to find the web filter category for the following websites:
• www.skype.com
• www.ask.com
• www.bing.com
You will test your web filter using these websites also.
The following table shows the category assigned to each URL, as well as the action you will
configure FortiGate to take based on your web filter security profile:
Category Action
Local Categories Disable
Potentially Liable Block: Extremist Group
The Edit Filter window opens, which allows you to modify the warning interval.
You will also enable the logs to store and analyze the security events that the web traffic
generates.
3. In the Security Profiles section, enable Web Filter, and then select default.
4. Hover over the warning sign that appears beside the SSL Inspection field.
Because web filtering requires URL information and does not inspect the
full payload, you can select certification-inspection instead of deep-
inspection.
6. Under Log Allowed Traffic, make sure that Security Events is selected.
The get webfilter status and diagnose debug rating commands show the list of FDS
that FortiGate uses to send web filtering requests. In normal operations, FortiGate sends the
rating requests only to the server at the top of the list. Each server is probed for round-trip time
(RTT) every 2 minutes.
Why does only one IP address from your network appear in the server list?
Your lab environment uses a FortiManager at 10.0.1.241, which is configured as a local FDS.
It contains a local copy of the FDS web rating database.
FortiGate sends the rating requests to FortiManager instead of to the public FDS. For this
reason, the output of the command lists the FortiManager IP address only.
3. On the Local-Client VM, open a new browser tab, and then go to www.facebook.com.
A warning appears, according to the predefined action for this website category.
81 | P a g e | M a n i P a h l a v a n z a d e h
A warning appears, according to the predefined action for this website category.
82 | P a g e | M a n i P a h l a v a n z a d e h
This website appears because it belongs to the Search Engines and Portals category, which is set
to Allow.
Field Value
URL www.bing.com
Category Security Risk
Sub-Category Malicious Websites
3. Click OK.
84 | P a g e | M a n i P a h l a v a n z a d e h
The website is blocked, and it matches a local rating instead of a FortiGuard rating.
The web rating override changes the category. In the default web profile applied in
the firewall policy, the Malicious Websites category is set to Block. As a consequence,
the website www.bing.com is now blocked.
85 | P a g e | M a n i P a h l a v a n z a d e h
3. Under FortiGuard Category Based Filter, expand Security Risk, right-click Malicious Websites,
and then select Authenticate.
The Edit Filter window opens, which allows you to modify the warning interval and select the user
groups.
Field Value
Warning Interval 5 minutes
Selected User Groups Override_Permissions
86 | P a g e | M a n i P a h l a v a n z a d e h
5. Click OK.
6. Click OK.
To create a user
1. Continuing on the Local-FortiGate GUI, click User & Authentication > User Definition.
Field Value
Username student
Password fortinet
5. Click Next.
6. Click Next.
87 | P a g e | M a n i P a h l a v a n z a d e h
8. Click Submit.
A warning appears. Notice that it is a different message from the one that appeared before.
2. Click Proceed.
88 | P a g e | M a n i P a h l a v a n z a d e h
You might receive a certificate warning at this stage. This is normal and is the result of using a
self-signed certificate. Accept the warning message to proceed with the remainder of the
procedure (click Advanced, and then click Accept the Risk and Continue).
Field Value
Username student
Password fortinet
4. Click Continue.
In this exercise, you will configure a static URL filter and apply the security profile to a firewall
policy in flow-based inspection mode. You will then review the web filter logs.
Field Value
URL www.bing.com
Type Simple
Action Block
Status Enable
6. Click OK.
7. Click OK.
91 | P a g e | M a n i P a h l a v a n z a d e h
4. Click OK.
8. Click OK.
A warning appears. Notice that it is a different message from the one that appeared before.
92 | P a g e | M a n i P a h l a v a n z a d e h
FortiGate applies the static URL filter before the FortiGuard category filter.
The www.bing.com URL matches the URL filter pattern and therefore is now blocked, and
FortiGate displays the corresponding URL filter message.
Initially, the www.bing.com website has the category Search Engines and Portals, which was set
to Allow and does not generate a security log.
To allow a website and generate a security log at the same time, you must set the category to Monitor.
Then, according to the logs, http://www.bing.com is blocked, but after you clicked Proceed and
authenticated, the logs show a different action: passthrough.
Remember that you overrode the Search Engines and Portals category to Malicious Websites, which was
set to Block, and then to Authenticate.
Because the website is blocked by the static URL filter, FortiGuard does not apply the FortiGuard
web rating, and does not provide the category.
95 | P a g e | M a n i P a h l a v a n z a d e h