FortiOS 6 – Web Filtering

Web filtering example

Web filtering is particularly important for protecting school-aged children. There are legal issues associated with improper web filtering as well as a moral responsibility to keep children from viewing inappropriate material. The key is to design a web filtering system in such a way that students and staff do not fall under the same web filter profile in the FortiGate configuration. This is important because the staff may need to access websites that are off limits to the students.

School district

The background for this scenario is a school district with more than 2,300 students and 500 faculty and staff in a preschool, three elementary schools, a middle school, a high school, and a continuing education center. Each elementary school has a computer lab and the high school has three computer labs with connections to the Internet. Such easy access to the Internet ensures that every student touches a computer every day.

With such a diverse group of Internet users, it was not possible for the school district to set different Internet access levels. This meant that faculty and staff were unable to view websites that the school district had blocked. Another issue was the students’ use of proxy sites to circumvent the previous web filtering system. A proxy server acts as a go-between for users seeking to view web pages from another server. If the proxy server has not been blocked by the school district, the students can access the blocked website.

When determining what websites are appropriate for each school, the district examined a number of factors, such as community standards and different needs of each school based on the age of the students.

The district decided to configure the FortiGate web filtering options to block content of an inappropriate nature and to allow each individual school to modify the options to suit the age of the students. This way, each individual school was able to add or remove blocked sites almost immediately and have greater control over their students’ Internet usage.

In this simplified example of the scenario, the district wants to block any websites with the word example on them, as well as the website www.example.com. The first task is to create web content filter lists for the students and the teachers.

Create a Web Filter profile for the students

  1. Go to Security Profiles > Web Filter.
  2. Select the Create New
  3. Enter the name “Students” in the name field.
  4. Enable FortiGuard Categories.
  5. Set the following categories to Block:

l Potentially Liable l Adult/Mature Content l Security Risk

URL Content

filtering example

  1. Go to Search Engines and expand the section if necessary. Enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex
  2. In the Static URL Filter section, enable URL Filter.
    1. Select Create New.
      1. In the URL field, enter *example*.*
      2. For the Type field, select Wildcard
  • For the Action field, select Block
  1. For the Status field, check enable
  2. Select OK Web Content Filter
  1. In the Static URL Filter section, enable Web Content Filter.
    1. In the Web Content Filter widget, select Create New.
      1. For the Pattern Type field, select Expression
      2. In the Pattern field, enter “example”
  • For the Language field, choose Western For the Action field, select “Block”
  1. For the Status field, check Enable.
  2. Select OK
  1. EnableRate URLs by Domain and IP Address Disable Allow websites when a rating error occurs .
  2. Check Rate Images by URL (Blocked images will be replaced with blanks)
  3. Select Apply

Create a Web Filter for the teachers

It might be more efficient if the Teacher Web Content List included the same blocked content as the student list. From time to time a teacher might have to view a blocked page. It would then be a matter of changing the Action from Block to Allow as the situation required. The following filter is how it could be set up for the teachers to allow them to see the “example” content if needed while keeping the blocking inappropriate material condition.

  1. Go to Security Profiles > Web Filter.
  2. Select the Create New
  3. Enter the name “Teachers” in the name field.
  4. Enable FortiGuard Categories.
  5. Set the following categories to Block:

l Potentially Liable l Adult/Mature Content l Security Risk

URL Content

  1. Go to Search Engines and expand the section if necessary. Enable Search Engine Safe Search on Google, Yahoo!, Bing, Yandex.
  2. In the Static URL Filter section, check Enable URL Filter.
  3. Select Create New.
    1. In the URL field, enter *example*.*
    2. For the Type field, select Wildcard
  • For the Action field, select Block
  1. For the Status field, check enable
  2. Select OK Web Content Filter
  1. In the Static URL Filter section, check Enable Web Content Filter.
    1. In the Web Content Filter widget, select Create New.
    2. Enter the name “Teachers” in the name field.
      1. For the Pattern Type field, select Expression
      2. In the Pattern field, enter “example”
  • For the Language field, choose Western For the Action field, select Exempt
  1. For the Status field, check Enable.
  2. Select OK
  1. Check Rate URLs by Domain and IP Address
  2. Check Rate Images by URL (Blocked images will be replaced with blanks)
  3. Select OK

To create a security policy for the students

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select the policy being used to manage student traffic.
  3. Enable Web Filter.
  4. Select Students from the web filter drop-down list.
  5. Select OK.

To create a security policy for Teachers

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select the policy being used to manage teacher traffic.
  3. Enable Web Filter.
  4. Select Teachers from the web filter drop-down list.
  5. Select OK.
  6. Make sure that the student policy is in the sequence before the teachers’ policy.

3 thoughts on “FortiOS 6 – Web Filtering

    1. Mike Post author

      Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.