Webfilter FW
Webfilter FW
Warning interval: the time interval when the warning page appears again after
the user chooses to continue (allow access time)
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 1 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
➢ Block: Prevent access to the website.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 2 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Mainly it is used to block certain websites and allowing the rest of websites.
The URL list saved on the FortiGate device itself and does not need a connection to
FortiGuard Servers, so Static URL filter→ doesn’t need a valid FortiGuard license.
For example: this list blocks only cnn.com/videos and allow the rest of websites
Note: the URL filter rules are applied in order from the top. ↓
A) Simple:
URL Filter entry must be in the format of a standard URL.
Also, can include sub-domains and paths.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 3 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Note: To match a URL's path (e.g., 'cnn.com/videos'), SSL Deep Inspection must be
configured within the Firewall Policy (assuming the traffic is encrypted HTTPS).
B) Wildcard:
A wildcard can be used to include one or more URLs to a simple URL.
For example:
- URL: *.cnn.com →(everything before ".cnn.com" will match this rule, like
edition.cnn.com)
- URL: www.cnn.com/* (everything after "www.cnn.com/" will match this rule, like
www.cnn.com/videos)
This option also blocks URLs that contains spaces. If there is a space in the URL, it must be
written as %20 in the URL path.
As per RFC 952, " A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24
characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). "
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 4 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
2. FortiGuard Web Filtering Categories.
2- Security Profiles -> Web Rating Overrides -> Create New -> URL -> Lookup Rating
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 5 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Usage quota
Quotas can be set for the Monitor, Warning, or Authenticate actions.
Once the quota is reached, the traffic is blocked and the replacement message page
displays.
Quotas allow access for a specified length of time or a specific bandwidth, and are
calculated separately for each user. Quotas are reset daily at midnight.
✓ Select users’ group that can override and the new allowed web profile.
✓ Select IP or ASK and define the access time interval.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 6 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
✓ Validate user credentials and if requested to define the allowed access time
interval.
overrides the original FortiGuard category for the URL with either a different FortiGuard
category, or a custom local category.
Example: google.com URL, Cat. (General Interest-Business) override with Custom local Cat.
(Block URLs)
Note: Web rating is only for host names, no URLs or Wildcards are allowed.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 7 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
(Disable) Action: New Local Category actions
Remove the category from the web filter profile.
Rating Options.
By default, this option is disabled, and if an error rating occurs, the FortiGate will block
the website.
If this option enabled, the FortiGate sends both the URL domain name and the TCP/IP
packet's IP address (except for private IP addresses) to FortiGuard for the rating.
The FortiGuard server might return a different category of IP address and URL domain.
If they are different, the FortiGate uses the rating weight of the IP address or domain
name to determine the rating result and decision.
1- Search Engines:
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex
By enable safe search mode in search engines to filter search results.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 8 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Restrict YouTube Access
YouTube Restricted Mode is an optional setting that filters out potentially mature videos
while leaving a large number of videos still available.
Strict: Strict Mode does not block all videos, but works as a filter to screen out many
videos based on an automated system, while leaving some videos still available for
viewing.
Moderate: this setting is similar to Strict Mode but makes a much larger collection of
videos available.
Log all search keywords
This setting logs all search phrases.
2- Proxy Options
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 9 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
Trouble shooting
Why the Web Filter Not applied?
A- Web filtering profile server multiple functions. So, if you have many of these
functions enabled, you need to check by the following order
B- You create a Security Web Filter Profile, but not attached to the Firewall Policy.
C- Some Web filtering function need Deep or Full SSL inspection to work.
Examples:
✓ Static URL-path {www.cnn.com/videos}.
✓ Web content filtering.
✓ Search engines filtering {Safe Search and Restricted access to YouTube}
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 10 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/
D- FortiGuard Category Filter required alive connection to FortiGuard Servers.
___________________________________________________________________________
How to Configure Web Filtering on FortiGate Firewall
Page 11 of 11 | #support_team247 | https://www.linkedin.com/in/emadhegazi/