Web content filter of webfilter

Web content filter of webfilter

You can control access to web content by blocking web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards and Perl regular expressions to match content on web pages. You can use multiple web content filter lists and select the best web content filter list for each web filter profile.

Pattern type

When you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: wildcard and regular expression.

Wildcard

Use the wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and forticare.com. The * represents any character appearing any number of times.

Regular expression

Use the regular expression setting to block or exempt patterns of Perl expressions which use some of the same symbols as wildcard expressions but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

The maximum number of web content patterns in a list is 5000.

Content evaluation

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a web page is blocked by a single match.

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
  • The score for any word in a phrase without quotation marks is counted. l The score for a phrase in quotation marks is counted only if it appears exactly as written.

Sample of applying banned pattern rules

The following table is an example of how rules are applied to the contents of a web page. For example, a web page contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.

Banned

pattern

Assigned score Score added to the sum for the entire page Threshold score Comment
word 20 20 20 Appears twice but only counted once. Web page is blocked.
word phrase 20 40 20 Each word appears twice but only counted once giving a total score of 40. Web page is blocked.
word sentence 20 20 20 “word” appears twice, “sentence” does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. Web page is blocked.
“word sentence” 20 0 20 This phrase does not appear exactly as written. Web page is allowed.
“word or phrase” 20 20 20 This phrase appears twice but is counted only once. Web page is blocked.

Sample configuration

To configure web content filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Content Filter to display its options.
  3. Select Create New to display the content filter options.
  4. For Pattern Type, select RegularExpression and enter fortinet in the Pattern
    • Leave Language as Western. l Set Action to Block.
    • Set Status to Enable.
  5. Select OK to see the updated Static URL Filter
  6. Validate the configuration by visiting a website with the word fortinet, for example, www.fortinet.com. The website is blocked and a replacement page displays.

To configure web content filter in the CLI:

  1. Create a content table:

config webfilter content

edit 1                           <– the id of this content

set name “webfilter”

config entries

edit “fortinet”            <– the banned word set pattern-type regexp  <– the type is regular expression set status enable set lang western

set score 10             <– the score for this word is 10 set action block

next

end

next end

  1. Attach the content table to the webfilter profile:

config webfilter profile

edit “webfilter”

config web

set bword-threshold 10  <– the threshold is 10

set bword-table 1       <– the id of content table we created in the previous step

end

config ftgd-wf

unset options

end

next end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.