Web Security/Web Filter
Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.
When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.
Enable/Disable Web Security
To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.
Enable/Disable | Select to enable or disable Web Security. |
X Violations (In the Last 7 Days) | Select to view Web Security log entries of the violations that have occurred in the last 7 days. |
Settings | Select to configure the Web Security profile, exclusion list, and settings, and to view violations. |
Web Security profile
You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.
Web Security exclusion list
Allow | Set the category or sub-category to Allow to allow access. |
Block | Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser. |
Warn | Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page. |
Monitor | Set the category or sub-category to Monitor to allow access. The site will be logged. |
You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.
Web Security exclusion list
To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.
Web Security settings
Configure the following settings:
Exclusion List | Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection. |
URL | Enter a URL or IP address. |
Type | Select one of the following pattern types from the drop-down list:
l Simple l Wildcard l RegularExpression |
Actions | Select one of the following actions from the drop-down list:
l Block: Block access to the web site regardless of the URL category or sub-category action. l Allow: Allow access to the web site regardless of the URL category or sub-category action. l Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established. |
Web Security settings
To configure web security settings, select the settings icon then select Settings from the menu.
View violations
Configure the following settings:
Enable Site Categories | Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list. |
Log all URLs | Select to log all URLs. |
Identify user initiated web browsing | Select to identify web browser that is user initiated. |
View violations
To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).
Website | The website name or IP address. |
Category | The website sub-category. |
Time | The date and time that the website was accessed. |
User | The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message. |
Web Filter
When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.
The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.
On a FortiGate device, the overall process is as follows:
l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.
On EMS, web filtering is part of the endpoint profile.
Filter
FortiGate
Step 1: Create a Web Filter Profile on the FortiGate
Use the following steps to create a custom Web Filter profile on the FortiGate:
- Go to Security Profiles > Web Filter.
- To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
- Configure the following settings:
Name | Enter a name for the Web Filter profile. |
Comments | Enter a description in the comments field. (optional) |
Inspection Mode | This setting is not applicable to FortiClient. |
FortiGuard Categories | Select category and sub-category actions.
l In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient. l When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the FortiClient profile. |
Categories Usage Quota | This setting is not applicable to FortiClient. |
Allow users to override blocked categories | This setting is not applicable to FortiClient. |
Search Engines | |
Enforce ‘Safe Search’ | Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex. |
YouTube
Education Filter |
Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code. |
Log all search keywords | This setting is not applicable to FortiClient. |
Static URL Filter | |
Block invalid
URLs |
This setting is not applicable to FortiClient. |
URL Filter | Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.
FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action. |
Block malicious URLs discovered by FortiSandbox | Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured. |
Filter
Web Content
Filter |
This setting is not applicable to FortiClient. |
Rating Options | These settings are not applicable to FortiClient. |
Proxy Options | These settings are not applicable to FortiClient. |
- Select OK to save the profile.
Step 2: Add the Web Filter profile to the FortiClient Profile
- Go to Security Profiles > FortiClient Profiles.
- Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
- Enable Web Filter, then select the Web Filter profile from the drop-down list.
- Optionally, select to enable Client Side when On-Net.
- Select Apply to save the profile.
The FortiGate will send the FortiClient Profile configuration update to registered clients.
The Web Filtering module is now available in FortiClient.
EMS
To add web filtering to an endpoint profile:
- Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
- Select the Web Filter
- Select the on/off button to add web filtering to the profile.
- Adjust the web filter settings as required, then select Save to save your changes.
HI
I’m having issues with the FG blocking access to local webservers in the same subnet, As unrated site. I have added a policy LAN-LAN and disabled web filtering, but still did not work. Is there a way to override ratings by subnet?
Jose,
You have to make the exceptions on the FortiClient profile as well as the FortiGate interface to interface policy will not be triggered unless they are on different subnets. I would also check to make sure “Block Invalid URLs” isn’t enabled as shorthand (netbios style web addresses for instance http://mikesserver) will cause issues as they are shown as invalid.
We are using just forti-client. We have an internal website that has a client app that connects scanners to the back end of the website direct from clients. For some reason Forticlient Malicious website module is blocking those clients. Users can browse to the site without a problem but the client won’t connect. Web security exclusions don’t make a difference and excluding the folders where the client is installed doesn’t make a difference. is there a way to add an exclusion list for urls under the Block Malicious Websites portion of the Antivirus?
Are you controlling the Client VIA FortiGate or FortiClient EMS?
We actually aren’t using control at all as of right now. We did solve this problem by re installing forticlient after the client connection software was already installed on the workstation.
Interesting. Thanks for the heads up. I prefer to manage FortiClient using the Gate or the EMS. The granularity you gain as well as an ease of troubleshooting is awesome.
Hi Mike, can you help me with a FortiClient implementation? I have the FortiClient being administered from Fortigate that distributes the Webfilter profiles to the endpoint. This FortiClient x Fortigate integration is working perfectly, I see the client registered in the firewall and loading the correct profile from FortiClient Profiles. But when I try to navigate in the workstation, all the websites that I try the FortiClient classify with the category “not classified” and blocks access (because the “not classified” category is blocked in the profile).
Has anyone had this problem? Can you help me?
Thanks and regards,
Frederico Pereira
Frederico, Can you go into more detail on how you have things pushing to the clients?