How to Configure Web Filtering on FortiGate Firewall

Why we need Web filtering?

1. Block access to inappropriate contents (porn sites).

2. Block access to malicious websites which may cause data loss or data
leak.
3. Block access to Band consuming /bandwidth wasting sites
(streaming sites).
What we can filter on (Based on)?
Web filters are applied in the following order:
1. URL list
2. FortiGuard Web Filtering Categories.
3. Web content filtering.
4. Web script filter
5. Antivirus scanning

Web filtering Actions:

➢ Allow: Permit access to the website

➢ Monitor: Permit and logs access to the website.

➢ Warning: Displays a message to the user, allowing him to continue or not

Warning interval: the time interval when the warning page appears again after
the user chooses to continue (allow access time)

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 1 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
 ➢ Block: Prevent access to the website.

➢ Authenticate: Requires the user to authenticate with the FortiGate in order

to allow access to the website.

➢ Exempt: The traffic is allowed to

bypass the remaining FortiGuard web filters, web content filters, web script
filters, antivirus scanning, and DLP proxy operations.

1- URL list "static URL filter".

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 2 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Mainly it is used to block certain websites and allowing the rest of websites.
The URL list saved on the FortiGate device itself and does not need a connection to
FortiGuard Servers, so Static URL filter→ doesn’t need a valid FortiGuard license.

For example: this list blocks only cnn.com/videos and allow the rest of websites

To allow certain websites and block the rest of websites.

Note: the URL filter rules are applied in order from the top. ↓

There are three types of URL that can be defined.

A) Simple:
URL Filter entry must be in the format of a standard URL.
Also, can include sub-domains and paths.

For example: www.cnn.com

- URL entry: cnn.com →Full Domain
- URL entry: cnn.com/videos →Path

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 3 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Note: To match a URL's path (e.g., 'cnn.com/videos'), SSL Deep Inspection must be
configured within the Firewall Policy (assuming the traffic is encrypted HTTPS).

B) Wildcard:
A wildcard can be used to include one or more URLs to a simple URL.

For example:
- URL: *.cnn.com →(everything before ".cnn.com" will match this rule, like
edition.cnn.com)
- URL: www.cnn.com/* (everything after "www.cnn.com/" will match this rule, like
www.cnn.com/videos)

C) Regular Expressions (regex):

Regex is used to include one or more URLs related -or not related- to a pattern using
some Perl syntax

"/i" symbols means: makes the pattern case sensitive.

For example:
"/CNN/i" → will not match with "cnn"

"^" symbols means: at the beginning of the string.

For example:
"^cn" →will match 'cnn.com'

Block invalid URL

Block web sites whose SSL certificate's CN field does not contain a valid domain name.
Example:
When a visited URL that contains a "_", the site will be blocked with "block-invalid-url".

This option also blocks URLs that contains spaces. If there is a space in the URL, it must be
written as %20 in the URL path.

As per RFC 952, " A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24
characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). "

Block malicious URLs discovered by FortiSandbox

Block malicious URLs that FortiSandbox finds.
Forti cloud Sandbox free for use.

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 4 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
2. FortiGuard Web Filtering Categories.

1- the URL is sent to the nearest FortiGuard server.

2- The URL category or rating is returned.
3- If the category is set blocked, the FortiGate shows a block replacement message
instead of the request page.
4- If the category is not blocked, the request page is sent to the user as normal.
FortiGuard Web Filtering Categories need a connection to FortiGuard Servers to work,
So, this will need a valid FortiGuard license
How To look up a URL rating/Category
1- FortiGuard website (https://www.fortiguard.com/webfilter)

2- Security Profiles -> Web Rating Overrides -> Create New -> URL -> Lookup Rating

(Don’t click on ‘ok’ button as this will save the configuration).

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 5 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
 Usage quota
Quotas can be set for the Monitor, Warning, or Authenticate actions.
Once the quota is reached, the traffic is blocked and the replacement message page
displays.
Quotas allow access for a specified length of time or a specific bandwidth, and are
calculated separately for each user. Quotas are reset daily at midnight.

Allow users to override blocked categories

Allow users with valid credentials to override blocked categories with another web profile
for a certain time interval.

✓ Select users’ group that can override and the new allowed web profile.
✓ Select IP or ASK and define the access time interval.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 6 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
 ✓ Validate user credentials and if requested to define the allowed access time
interval.

Web Category override.

overrides the original FortiGuard category for the URL with either a different FortiGuard
category, or a custom local category.

Example: google.com URL, Cat. (General Interest-Business) override with Custom local Cat.
(Block URLs)
Note: Web rating is only for host names, no URLs or Wildcards are allowed.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 7 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
(Disable) Action: New Local Category actions
Remove the category from the web filter profile.

Rating Options.

Allow websites when a rating error occurs

If you do not have a FortiGuard license, or you have a connection problem with
FortiGuard Servers, but you have enabled FortiGuard Web Filtering Categories services,
then you will get a rating error message.

By default, this option is disabled, and if an error rating occurs, the FortiGate will block
the website.

Rate URLs by domain and IP Address

By default, this option is disabled and FortiGate only sending domain information to
FortiGuard for rating.

If this option enabled, the FortiGate sends both the URL domain name and the TCP/IP
packet's IP address (except for private IP addresses) to FortiGuard for the rating.

The FortiGuard server might return a different category of IP address and URL domain.
If they are different, the FortiGate uses the rating weight of the IP address or domain
name to determine the rating result and decision.

Additional Proxy-Based Web Filtering Features

These advanced filters are only available in proxy-based inspection mode.

1- Search Engines:
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex
By enable safe search mode in search engines to filter search results.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 8 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Restrict YouTube Access
YouTube Restricted Mode is an optional setting that filters out potentially mature videos
while leaving a large number of videos still available.
Strict: Strict Mode does not block all videos, but works as a filter to screen out many
videos based on an automated system, while leaving some videos still available for
viewing.
Moderate: this setting is similar to Strict Mode but makes a much larger collection of
videos available.
Log all search keywords
This setting logs all search phrases.
2- Proxy Options

Restrict Google account usage to specific domains

block access to Google accounts and services, while allowing access with specific
domains in the exception list.

HTTP POST Action

HTTP POST is the command used by the browser when you send information, such as a
completed form or a file you are uploading to a web server.
This option is used to restrict users from sending information and files to web servers.
The action options are allow or block. The default is allow.

Remove Java Applets, Remove ActiveX and Remove Cookies

Filter cookies, Java applets, and ActiveX scripts from web traffic.
If these filters are enabled, websites using Java applets, ActiveX, and cookies might not
function properly.

3. Web content filtering.

IT control access to web content by blocking webpages containing specific words or
patterns.
You can specify words, phrases, patterns, wildcards, and regular expressions to match
content on webpages.

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 9 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Trouble shooting
Why the Web Filter Not applied?
A- Web filtering profile server multiple functions. So, if you have many of these
functions enabled, you need to check by the following order

1- Local Static URL Filter.

2- FortiGuard Category Filter.
3- Advanced Proxy-Based Filters

B- You create a Security Web Filter Profile, but not attached to the Firewall Policy.

C- Some Web filtering function need Deep or Full SSL inspection to work.
Examples:
✓ Static URL-path {www.cnn.com/videos}.
✓ Web content filtering.
✓ Search engines filtering {Safe Search and Restricted access to YouTube}

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 10 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
D- FortiGuard Category Filter required alive connection to FortiGuard Servers.

E- Check Web Filter Logs and Reports.

___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 11 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/