FortiOS 6 – Web Filtering

FortiGuard web filtering usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

 

The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required.

Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

  1. Category
  2. Category group

Configuring web filter profiles

Enabling FortiGuard web filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

General configuration steps

  1. Go to Security Profiles > Web Filter.
  2. Determine if you wish to create a new profile, edit an existing one, or clone and edit an existing one.
  3. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.
  4. Configure any Category Usage Quotas (Proxy Mode)
  5. Allow blocked override if required.(Proxy Mode)
  6. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)
  7. Configure Static URL Settings. (All Modes)
  8. Configure Rating Options. (All Modes)

Configuring web filter profiles

  1. Configure Proxy Options.
  2. Save the filter and web filter profile.
  3. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

Getting to the Edit Web Filter Profile configuration window

Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional. We will treat each of these options separately, but present the common instructions of how to get to the profile editing page here.

  1. Go to Security Profiles > Web Filter.
  2. Determine if you wish to create a new profile, edit an existing one, or clone and then edit an existing one. New profile:
    1. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) OR
    2. Select the List icon, in the upper right (looks like a white rectangle with lines like text). Select the Create New icon in the upper left.
    3. Edit existing profile:
    4. Select the name of the profile that you wish to edit from the drop-down menu OR
    5. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Highlight the name of the profile from the list and select Edit from the options above the list. Clone a profile:
    6. Select Clone icon in the upper right corner of the window (looks like one square overlapping another) OR
    7. Select the Listicon, in the upper right (looks like a white rectangle with lines like text. Highlight the name of the profile from the list and select Clone from the options above the list.
  3. Make sure there is a valid name, and comment if you want.
  4. Configure the settings to best achieve your specific requirements
  5. Select Apply or OK, depending on whether you are editing, creating, or cloning a profile.

In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to categorize the site. Starting in version 5 of the firmware, the parsed URL has been increase to 4 Kilobytes, effectively doubling the length of a URL capable of being categorized.

3 thoughts on “FortiOS 6 – Web Filtering

    1. Mike Post author

      Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.