FortiOS 6 – Web Filtering

Overriding FortiGuard website categorization

In most things there is an exception to the rule. When it comes to the rules about who is allowed to go to which websites in spite of the rules or in this case, policies, it seems that there are more exceptions than to most rules. There are numerous valid reasons and scenarios for exceptions so it follows that there needs to be a way to accommodate this exception.

The different methods of override

There are two different ways to override web filtering behavior based on FortiGuard categorization of a websites if you are operating in proxy-based inspection.

The second method has two variations in implementation and each of the three has a different level of granularity.

  1. Using Alternate Categories

Web Rating Overrides

This method manually assigns a specific website to a different Fortinet category or a locally created category.

  1. Using Alternate Profiles

Administrative Override or Allow users to override blocked categories

In this method all of the traffic going through the FortiGate unit, using identity based policies and a Web Filtering profile has the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

Using Alternate Categories

Web Rating Overrides

There are two approaches to overriding the FortiGuard Web Filtering. The first is an identity-based method that can be configured using a combination of identity-based policies and specifically designed webfilter profiles. This is addressed in the Firewall Handbook.

The second method is the system-wide approach that locally (on the FortiGate Firewall) reassigns a URL to a different FortiGuard Category or even subcategory. This is where you can assign a specific URL to the FortiGuard Category that you want to you can also set the URL to one of the Custom Categories that you have created

The Web Rating Overrides option is available because different people will have different criteria for how they categorize websites. Even if the criteria is the same an organization may have reason to block the bulk of a category but need to be able to access specific URLs that are assigned to that category.

A hypothetical example could be that a website, example.com is categorized as being in the Sub-Category Pornography. The law offices of Barrister, Solicitor, and Lawyer do not want their employees looking at pornography at work so they have used the FortiGuard Webfilter to block access to sites that have been assigned to the Category “Pornography”. However, the owners of example.com are clients of the law office and they are aware that example.com is for artists that specialize in nudes and erotic images. In this case two approaches can be taken. The first is that the Web Rating Override function can be used to assign example.com to Nudity and Risque instead of Pornography for the purposes of matching the criteria that the law office goes by or the site can be assigned to a Custom Category that is not blocked because the site belongs to one of their clients and they always want to be able to access the site.

Another hypothetical example from the other side of the coin. A private school has decided that a company that specializes in the online selling of books that could be considered inappropriate for children because of their violent subject matter, should not be accessible to anyone in the school. The categorization by Fortinet of the site example2.com is General Interest – Business with the subcategory of Shopping and Auction, which is a category that is allowed at the school. In this case they school could reassign the site to the Category Adult Material which is a blocked category.

Local or Custom Categories

User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a web filter profile. Users can rate URLs based on the local categories.

Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed.

The local assignment of a category overrides the FortiGuard server ratings and appear in reports as “Local” Categories or “Custom” Categories depending on the context.

CLI commands

In the CLI, the term is local category.

To create a local category:

config webfilter ftgd-local-cat edit local_category_1 set id 140 end

To set a rating to a Local Category:

config webfilter ftgd-local-rating edit <url_str> set rating {[<category_int>] [group_str] . . .] set status {enable | disable}

end

GUI commands

In the GUI, Local Categories appears on the Edit Web Filter profile page and Custom Categories on the

Web Rating Overrides page, if your FortiGate is in proxy-based or flow-based, profile-based inspection. If your FortiGate is operating with flow-based inspection and the policy-based NGFW mode, then you will not see the Edit Web Filter profile page.

Both these features will be used to create local categories and to apply actions to them.

Creating a Local or Custom Category

  1. Go to Security Profiles > Web Rating Overrides.
  2. Select Custom Categories in the top menu bar.
  3. In the new window, click on Create New.
  4. Enter the name of the custom category.
  5. Select OK.

Configuring Web Rating Overrides

Using the GUI
  1. Go to Security Profiles > Web Rating Overrides.
  2. Select Create New
  3. Type in the URL field the URL of the Website that you wish to recategorize. Do not use wildcard expressions when typing in the URL.
  4. Select the Lookup Rating button to verify the current categorization assigned to the URL.
  5. Change the Category field to one of the more applicable options from the drop down menu, for example, one of the custom categories just created.
  6. Change the Sub-Category field to a more narrowly defined option within the main category.
  7. Select OK.

Applying an Action to a Local or Custom Category

  1. Go to Security Profiles > Web Filter.
  2. Expand the Local Categories in the list of FortiGuard categories.
  3. Right-click on a category from the list and set the action to Allow, Block, Monitor, Warning, Authenticate, or Disable.
  4. Select Apply.

You cannot apply an action to a local category when operating in flow-based NGFW policy-based mode.

Web filtering local and remote category status

The status option allows you to enable or disable FortiGuard web filtering category overrides for local and remote categories. When disabled, ssl-exempt, webfilter, and proxy-address cannot use the category. The status cannot be set to disable if it has been referenced.

Syntax

config webfilter ftgd-local-cat edit <name> set status {disable | disable}

set id 140 next

end

3 thoughts on “FortiOS 6 – Web Filtering

    1. Mike Post author

      Backup the config and nit pick through it. Be sure the FortiGates are running the same version of code though!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.