Profile
The Profile menu allows you to configure a web filter profile to apply to a firewall policy. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination.
Web profile configuration settings
The following are web filter profile configuration settings in Security Profiles > Web Filter > Profiles. If you want to configure advanced settings, such as FortiGuard web filtering overrides, you must configure these settings within the CLI.
Profile page
Lists each web filter profile that you created. On this page, you can edit, delete or create a new web filter profile. You are redirected to this page when you select View List on the Edit Web Filter Profile page.
Note: Web filtering overrides are profile-based, allowing a rule to be created that changes the web filter profile that applies to a user. An override link appears in all related blocked pages. This is available only in the CLI.
Create New | Creates a new web filter profile. When you select Create New, you are automatically redirected to the New Web Filter Profile page. |
Edit | Modifies settings within a web filter profile. When you select Edit, you are automatically redirected to the Edit Web Filter Profile page. |
Delete | Removes a web filter profile from within the list on the Profile page.
To remove multiple web filter profiles from within the list, on the Profile page, in each of the rows of the file filter lists you want removed, select the check box and then select Delete. To remove all web filter profiles from the list, on the Profile page, select the check box in the check box column and then select Delete. |
Name | The name of the web filter profile. |
Comments | A description given to the web filter profile. This is an optional setting. |
Ref. | Displays the number of times the object is referenced to other objects. For example, av_1 profile is applied to a firewall policy; on the Profile page ( Security Profiles > Antivirus > Profile), 1 appears in Ref..
To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object. To view more information about how the object is being used, use one of the following icons that is avialable within the Object Usage window: • View the list page for these objects – automatically redirects you to the list page where the object is referenced at. • Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a firewall policy and so, when this icon is selected, the user is redirected to the Edit Policy page. • View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a firewall policy, and that firewall policy’s settings appear within the table. |
New Web Filter Profile page
Provides settings for configuring a web filter profile. Advanced features, such as web content filtering and FortiGuard web filtering, is configured in the CLI.
This page appears when you select Create New on the Edit Web Filter Profile page. If you are on the Profiile page, and you select Create New, you will be redirected to the New Web Filter Profile page.
Note: Logging is enabled in the CLI.
Name Enter a name for the web filter profile.
If you want to edit the name at any time, select the profile and enter a new name in the Name field. Select Apply to save the change.
Comments | Enter a description for the web filter profile. This is optional.
If you want to edit the description at any time, select the profile and enter the new description in the Comments field. Select Apply to save the change. |
Inspection mode | Select to enable either flow-based web filtering or proxy-based.
Flow-based web filtering is a non-proxy solution, which provides high concurrent session, high session rate, and low-latency web filtering service. |
FortiGuard Categories | A list of FortiGuard category groups and categories that are used to rate web sites. Selecting a category group will automatically select all of the categories within the group. For example, if you select Security Risk, you can see that all of the categories within are selected if you expand the group. You can however, select or deselect categories within groups as required. |
Show | Select an action to view all of the categories that are currently configured with the selected action. |
Change Action for Select an action, and all of the selected categories will have Selected Categories the selected action applied. Selected category groups will to have the action applied to all categories within the group.
Quota on
Categories |
Users can have their web browsing time limited by category through the use of quotas. Quotas can be applied only to categories that are configured with the Monitor action.
If you create a quota for a single category, every authenticated user subject to the security policy in which the web filter profile is applied is limited in browsing web sites in the category to the duration you specify. If you create a single quota that includes multiple categories, the quota will apply to the categories as a whole. Quotas are ignored for unauthenticated users. To enforce quotas, configure the security policy to require authentication. |
Enable Safe Search
(Support Search Engines: Google, Yahoo and Bing) |
When enabled, the supported search engines exclude offensive material from search results. |
HTTPS Scanning | Available only on models that support HTTPS.
Select to have all of the web filtering specified in the web filter profile to HTTPS traffic as well as HTTP traffic. |
Advanced Filter | Expand this heading for advanced web filtering options. |
Web URL Filter | Enable to block access to URLs listed in the selected URL list. |
Web Resume
Download Block |
Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.
This prevents the unintentional download of viruses hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager. |
Block Invalid URLs | Select to block web sites when their SSL certificate CN field does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs: • If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name. • If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering. |
HTTP POST Action | Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
The available actions include: • Normal: Allow use of the HTTP POST command as normal. • Comfort: Use client comforting to slowly send data to the web server as the FortiGate unit scans the file. Use this option to prevent a server time-out when scanning or other filtering is enabled for outgoing traffic. The client comforting settings used are those defined in the Proxy Options profile selected in the security policy. • Block: Block the HTTP POST command. This will limit users from sending information and files to web sites. When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command. |
Remove Java
Applet Filter |
Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled. |
Remove ActiveX
Filter |
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled. |
Remove Cookie
Filter |
Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled. |
Search Engine
Keyword Filter |
Enter the keywords that you want to monitor when users enter those same or similar keywords during a search within the supported search engines. |
Web Content Filter | Enable to block access to web pages that include the words included in the selected web content filter list. |
Provide Details for Blocked HTTP 4xx and 5xx Errors | Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. |
Rate Images by URL (Blocked images will be replaced with blanks) | Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF. |
Allow Websites
When a Rating Error Occurs |
Enable to allow access to web pages that return a rating error from the FortiGuard Web Filter service.
If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines what access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites. |
Strict Blocking | This setting determines when the FortiGate unit blocks a site. Enable strict blocking to deny access to a site if any category or classification assigned to the site is set to Block. Disable strict blocking to deny access to a site only if all categories and classifications assigned to the site are set to Block.
All rated URLs are assigned one or more categories. URLs may also be assigned a classification. If Rate URLs by domain and IP address is enabled, the site URL and IP address each carry separately assigned categories and classifications. Depending on the FortiGuard rating and the FortiGate configuration, a site could be assigned to at least two categories and up to two classifications. |
Rate URLs by
Domain and IP Address |
Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed. |
Block HTTP | Enable to block HTTP redirects. |
Redirects by Rating |
Many web sites use HTTP redirects legitimately but in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect.
This option is not supported for HTTPS.