Web filter – Fortinet FortiGate

Overriding FortiGuard website categorization

In most things there is an exception to the rule. When it comes to the rules about who is allowed to go to which websites in spite of the rules or in this case, policies, it seems that there are more exceptions than to most rules. There are numerous valid reasons and scenarios for exceptions so it follows that there needs to be a way to accommodate this exceptions.

The different methods of override

There are actually two different ways to override web filtering behavior based on FortiGuard categorization of a websites. The second method has 2 variations in implementation and each of the three has a different level of granularity.

  1. Using Alternate Categories

  Rating Override

This method manually assigns a specific website to a different Fortinet category or a locally created category.

  1. Using Alternate Profiles

Administrative Override or Allow Blocked Override

In this method all of the traffic going through the FortiGate unit, using identity based policies and a Web Filtering profile has the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

Using Alternate Categories

Rating Overrides

There are two approached to overriding the FortiGuard Web Filtering. The first is an identity based method that can be configured using a combination of identity based policies and specifically designed webfilter profiles. This has been addressed in the Firewall Handbook.

The second method is the system wide approach that locally (on the FortiGate Firewall) reassigns a URL to a different FortiGuard Category and even subcategory. This is where you can set assign a specific URL to the FortiGuard Category that you want to you can also set the URL to one of the Local Categories that you have created

The Rating Overrides option is available because different people will have different criteria for how they categorize websites. Even is the criteria is the same an organization may have reason to block the bulk of a category but need to be able to access specific URLs that are assigned to that category.

A hypothetical example could be that a website, example.com is categorized as being in the

Sub-Category Pornography. The law offices of Barrister, Solicitor and Lawyer do not want their employees looking at pornography at work so they have used the FortiGuard Webfilter to block access to sites that have been assigned to the Category “Pornography”. However, the owners of example.com are clients of the law office and they are aware that example.com is for artists that specialize in nudes and erotic images. In this case to approaches can be taken. The first is that the Rating Override function can be used to assign example.com to Nudity and Risque instead of Pornography for the purposes of matching the criteria that the law office goes by or the site can be assigned to a Custom Category that is not blocked because the site belongs to one of their clients and they always want to be able to access the site.

Another hypothetical example from the other side of the coin. A private school has decided that a company that specializes in the online selling of books that could be considered inappropriate for children because of their violent subject matter, should not be accessible to anyone in the school. The categorization by Fortinet of the site example2.com is General Interest – Business with the subcategory of Shopping and Auction, which is a category that is allowed at the school. In this case they school could reassign the site to the Category Adult Material which is a blocked category.

Local Categories

User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a web filter profile. Users can rate URLs based on the local categories.

Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed.

The local assignment of a category overrides the FortiGuard server ratings and appear in reports as “Local” Categories or “Custom” Categories depending on the context.

Local categories are configured in the CLI.

To create a Local Category:

config webfilter ftgd-local-cat edit local_category_1 set id 140 end

There is also a way to create a new category in the Web Based Manager.

Go to Security Profiles > Web Filter > Rating Overrides. In the process creating a new override, you can choose to override that URL to the Category “Custom Categories”. When you are choosing the Sub-Category from the drop down menu, the last item in the list will be Create

New. If you select this item you will be given the option to fill out a field called Category Name.

Just type in the name of the new category from this point on it will be listed in the Custom Categories of the Rating Overrides and as one of the Local Categories in the FortiGuard Webfilter.

Configuring Rating Overrides

  1. Go to Security Profiles > Web Filter > Rating Overrides.
  2. Select Create New
  3. Type in the URL field the URL of the Website that you wish to recategorize.
  4. Select the Lookup Rating button to verify the current categorization that is being assigned to the URL.
  5. Change the Category field to one of the more applicable options from the drop down menu.
  6. Change the Sub-Category field to a more narrowly defined option within the main category.
  7. Select OK.

Using Alternate Profiles

Allow Blocked Overrides or Web Overrides

Depending on which patch level you are on of Firmware Version 5 you will have one of 2 options for the implementation of the alternate profile approach to overriding a Web Filter profile that blocks access to a URL.

Before FortiOS 5 Patch 4

The only feature available was referred to as “Allow Blocked Override”. The configuration settings for this feature where found in the individual Web Filter profiles by going to the Advanced section near the bottom of the configuration window.

Starting with FortiOS Patch 4

The Administrative Override feature for Web Filtering was added and is found by going to Security Profiles > Web Filter > Web Overrides. This opening window will display a listing of all

of the overrides of this type. The editing window referred to the configuration as an Administrative Override.

The Concept

When a Web filter profile is overridden it does not necessarily remove all control and restrictions that were previously imposed by the Web Filter. The idea is to replace a restrictive filter with a different one. In practice, it makes sense that this will likely be a profile that is less restrictive the the original one but there is nothing that forces this. The degree to which that the alternate profile is less restrictive is open. It can be as much as letting the user access everything on the Internet or as little as allowing only one addition website. The usual practice though is to have as few alternate profiles as are needed to allow approved people to access what they need during periods when an exception to the normal rules is needed but still having enough control that the organizations web usage policies are not compromised.

You are not restricted to having only one alternative profile as an option to the existing profile.

The new profile depends on the credentials or IP address making the connection. For example, John connecting through the “Standard” profile could get the “Allow_Streaming_Video” profile while George would get the “Allow_Social_Networking_Sites” profile.

The other thing to take into account is the time factor on these overrides. They are not indefinite. The longest that an override can be enabled is for 1 year less a minute. Often these overrides are set up for short periods of time for specific reasons such as a project. Having the time limitation means that the System Administrator does not have to remember to go back and turn the feature off after the project is finished.

Identity or Address

In either case what these override features do is, for specified users, user groups or IP addresses, allow sites blocked by Web Filtering profiles to be overridden for a specified length of time. The drawback of this method of override is that it takes more planning and preparation than the rating override method. The advantage is that once this has been set up, this method requires very little in the way of administrative overhead to maintain.

When planning to use the alternative profile approach keep in mind the following: In Boolean terms, one of the following “AND” conditions has to be met before overriding the Web Filter is possible

Based on the IP address:

  • The Web Filter profile must be specified as allowing overrides • AND the user’s computer is one of the IP addresses specified
  • AND the time is within the expiration time frame.

While the conditions are fewer for this situation there is less control over who has the ability to bypass the filtering configured for the site. All someone has to do is get on a computers that is allowed to override the Web Filter and they have access.

Based on user or user group:

  • The Web Filter profile must be specified as allowing overrides
  • AND the policy the traffic is going through must be identity based
  • AND the user’s credentials matches the identity credentials specified
  • AND the time is within the expiration time frame.

This method is the one most likely to be used as it gives more control in that the user has to have the correct credential and more versatile because the user can use the feature from any computer that uses the correct policy to get out on the Internet.

Settings

When using an alternate profile approach to Web Filter overrides the following settings are used to determine authentication and outcome. Not every setting is used in both methods but enough of them are common to describe them collectively.

Apply to Group(s)

This is found in the Allow Blocked Overrides configuration. Individual users can not be selected. You can select one or more of the User Groups that are recognized my the FortiGate unit, whether they are local to the system or from a third part authentication device such as a AD server through FSSO.

Original Profile

This is found in the Administrative Override configuration. In the Allow Blocked Overrides setting the configuration is right inside the profile so there was no need to specify which profile was the original one, but the Administrative Override setup is done separately from the profiles themselves.

Assign to Profile or New Profile

Despite the difference in the name of the field, this is the same thing in both variations of the feature. You select from the drop down menu the alternate Web Filter Profile that you wish to set up for this override.

Scope or Scope Range

When setting up the override in the “Allow Blocked Overrides” variation you are given a drop down menu next to the field name Scope while in the Administrative Override configuration you are asked to select a radio button next to the same options. In both cases this is just a way of selecting which form of credentials will be required to approve the overriding of the existing Web Filter profile.

When the Web Filter Block Override message page appears it will display a field named “Scope:” and depending on the selection, it will show the type of credentials used to determine whether or not the override is allowed. The available options are:

User

This means that the authentication for permission to override will be based on whether or not the user is using a specific user account.

User Group

This means that the authentication for permission to override will be based on whether on not the user account supplied as a credential is a member of the specified User Group.

IP

This means that the authentication for permission to override will be based on the IP address of the computer that was used to authenticate. This would be used with computers that have multiple users. Example: If Paul logs on to the computer, engages the override using his credentials and then logs off, if the scope was based on the IP address of the computer, anybody logging in with any account on that computer would now be using the alternate override Web Filter profile.

When entering an IP address in the Administrative Override version, only individual IP addresses are allowed.

Differences between IP and Identity based scope

  • Using the IP scope does not require the use of an Identity based policy.
  • When using the Administrative Override variation and IP scope, you may not see a warning message when you change from using the original Web Filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just come up in the browser.

Ask

This option is available only in the “Allowed Blocked Overrides” variation and when used configures the message page to ask which scope the user wished to use. Normally, when the page appears the scope options are greyed out an not editable, but by using the ask option the option is dark and the user can choose from the choice of:

  • User
  • User Group
  • IP Address

Duration Mode

This option is available only in the “Allowed Blocked Overrides” variation. The Administrative Override sets a specified time frame that is always used for that override. The available options from the drop down menu are:

Constant

Using this setting will mean that what ever is set as the duration will be the length of time that the override will be in effect. If the Duration variable is set to 15 minutes the length of the override will always be 15 minutes. The option will be visible in the Override message page but the setting will be greyed out.

Ask

Uusing this setting will give the person the option of setting the duration to the override when it is engaged. The duration time which is greyed out if the Constant setting is used will be dark and editable. The user can set the duration in terms of Day, Hours and or Minutes.

Duration

Duration is on of the areas where the two variations takes a different approach, on two aspects of the setting. As already indicated the “Administrative Override” only uses a static time frame there is no option for the user to select on the fly how long it will last. The other way in which the two variation differ is that the “Allow Blocked Overrides” starts the clock when the user logs in with his credentials. For example, if the duration is 1 hour and John initiates an override at 2:00 p.m. on January 1, at the end of that hour he will revert back to using the original profile but he can go back and re-authenticate and and start the process over again. The Administrative override variation starts the clock from when the override was configured, which is why is shows an expiration date and time when your are configuring it.

This option, which is available when the Duration Mode is set to Constant is the time in minutes that the override will last when engaged by the user.

When setting up a constant duration in the Web Based Interface, minutes is the only option for units of time. To set a longer time frame or to use the units of hours or days you can use the CLI.

config webfilter profile edit <name of webfilter profile> config override set ovrd-dur <###d##h##m> end

When configuring the duration you don’t have to set a value for a unit you are not using. If you are not using days or hours you can use

set ovrd-dur 30m

instead of

set ovrd-dur 0d0h30m

However, each of the units of time variable has their own maximum level

###d cannot be more than 364

##h cannot be more than 23

##m cannot be more than 59

So the maximum length that the override duration can be set to is 364 days, 23 hours, and 59 minutes(a minute shy of 1 year)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.