Configuring a URL filter
Consult the Maximum Values Table on the Fortinet Document Library site for up-to-date information on the number of URL filter entries allowed for your FortiGate.
For this example, the URL www.example*.com will be used. You configure the list by adding one or more URLs to it.
To add a URL to a URL filter
- Go to Security Profiles > Web Filter.
- Create a new web filter or select a one to edit.
- Expand Static URL Filter, enable URL Filter, and select Create.
- Enter the URL, without the “http”, for example: example*.com.
- Select a Type: Simple , Expression, or Wildcard. In this example, select Wildcard.
- Select the Action to take against matching URLs: Exempt, Block, Allow, or Monitor.
- Confirm that Status is enabled.
- Select OK.
‘Simple’ Filter type
If you select the Simple filter type for a URL filter, the syntax is performing an exact match. Note, however, that the domain and path are separate entities in HTTP despite the fact that a user types them as a single entity and, in the case of ‘simple’, the rules for each part (domain and path) are different.
The ‘domain’ part
For the domain part, the goal of the ‘simple’ format is to make it easy to block a domain and all its subdomains, such that the admin only has to type “address.xy” to block “address.xy”, “www.address.xy”, “talk.address.xy”, etc. but not block “youraddress.xy” or “www.youraddress.xy” which are different domains from “address.xy”.
Also, the actual domain does not include http:// or https:// so this should not be entered or the URL filter will try to match a domain starting with http. For this reason, when you enter http:// in the URL filter via the GUI, it is automatically removed.
A trailing ‘/‘ with the domain is not needed. The GUI URL filter will automatically trim this, but when using the API to provide the per-user BWL it will not!
Please take this into account. Better not to use it as it might give unexpected results.
The ‘path’ part
For the path part, an exact match takes place. For example: www.address.xy/news
blocks anything that starts with that exact path. So this matches:
www.address.xy/newsies www.address.xy/newsforyou www.address.xy/news/co etc.
Also:
www.address.xy/new
likewise blocks the same as above but includes:
/newt /newp etc.
which is a much broader filter, matching:
www.address.xy/newstand/co www.address.xy/news/co etc.
In other words, the more you specify of the path, the more strictly it will match.
Here as well a trailing ‘/‘ with the URL path is not needed, the GUI URL filter will automatically trim this, but when using the API to provide the per-user BWL it will not!
Please take this into account. Better not to use it as it might give unexpected results.
Referrer URL
A new variable has been added to the Static URL Filter: referrer-host. If a referrer is specified, the hostname in the referrer field of the HTTP require will be compared for any entry that contains the matching URL. If the referrer matches, then the specified action will be performed by proxy.
Configuring in the GUI
The configuration can be done in the GUI but only if advance web filtering features have been enabled by entering the following commands in the CLI:
config system global set gui-webfilter-advanced enable
end
After this command is used, a new column will be created in Security Profiles > Web Filter to set the referrer. Configuring in the CLI
When specifying the URL filter, it needs to be identified by its ID. The URLs are listed under each entry.
content filter
To find the ID number:
config webfilter urlfilter edit ?
A list of the current URL filters will be listed with their ID numbers in the left column.
The syntax in the CLI for configuring an entry is:
config webfilter urlfilter edit <ID> config entries edit 1 set url <url> set referrer-host <url> set type {simple | regex | wildcard} set action {block | allow | monitor | exempt} set status {enable | disable}
end
end
end
config system global
set gui-webfilter-advanced enable doesn´t exist on a FG-501E running 6.0.3?
Any easy way to export web filtering from one Gate and import it to another?
Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!