Category Archives: Administration Guides

File filter for webfilter

File filter for webfilter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Web filter profile supports the following file types:

File Type Name Description
all Match any file
7z Match 7-zip files
arj Match arj compressed files
cab Match Windows cab files
lzh Match lzh compressed files
rar Match rar archives
tar Match tar files
zip Match zip files
bzip Match bzip files
gzip Match gzip files
bzip2 Match bzip2 files
xz Match xz files
bat Match Windows batch files
msc Match msc files
uue Match uue files
mime Match mime files
base64 Match base64 files
binhex Match binhex files

 

File Type Name Description
bin Match bin files
elf Match elf files
exe Match Windows executable files
hta Match hta files
html Match html files
jad Match jad files
class Match class files
cod Match cod files
javascript Match javascript files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg Match fsg files
upx Match upx files
petite Match petite files
aspack Match aspack files
prc Match prc files
sis Match sis files
hlp Match Windows help files
activemime Match activemime files
jpeg Match jpeg files
gif Match gif files
tiff Match tiff files
png Match png files
bmp Match bmp files
ignored Match ignored files
unknown Match unknown files
mpeg Match mpeg files
mov Match mov files
mp3 Match mp3 files
wma Match wma files
File Type Name Description
wav Match wav files
pdf Match pdf files
avi Match avi files
rm Match rm files
torrent Match torrent files
msi Match Windows Installer msi bzip files
mach-o Match Mach object files
dmg Match Apple disk image files
.net Match .NET files
xar Match xar archive files
chm Match Windows compiled HTML help files
iso Match ISO archive files
crx Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.

To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the CLI example below, we want to file filter the following using Web filter profile:

  1. Block PDFs from entering our leaving our network (filter1).
  2. Log the download of some graphics file-types via HTTP (filter2).
  3. Block EXE files from leaving to our network via FTP (filter3).
config webfilter profile edit “webfilter-file-filter” config file-filter  
set status enable filtering <– Allow user to disable/enable file
set log enable file filtering <– Allow user to disable/enable logging for
set scan-archive-contents enable such as ZIP, RAR etc. config entries edit “filter1” <– Allow scanning of files inside archives
set comment “Block PDF files”

set protocol http ftp     <– Inspect HTTP and FTP traffic set action block <– Block file once file type is matched

set direction any <– Inspect both incoming and outgoing traffic set encryption any    <– Inspect both encrypted and un-encrypted

files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”

set protocol http <– Inspect only HTTP traffic set action log   <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any

set file-type “jpeg” “png” “gif” <– Multiple file types can be configured

in a single entry

next edit “filter3” set comment “Block upload of EXE files”

set protocol ftp  <– Inspect only FTP traffic set action log

set direction outgoing   <– Inspect only outgoing traffic set encryption any set file-type “exe”

next

end

end

end

After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:

config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Log Example

GUI > VDOM > Log & Report > Web Filter:

External resources for webfilter

External resources for webfilter

Introduction

External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as web filter’s remote categories, DNS filter’s remote categories, policy address objects or AntiVirus profile’s malware definitions. If the external resource is updated, FortiGate objects will update dynamically.

External Resource are categorized into 4 types:

  • URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

For Web Filter profile, it can use category type external resources. Category type external resources file is a URL entries list in a plain text file.

When a category type external resource is configured in Web Filter profile, it will be treated as a Remote Category. If the URL in a HTTP/HTTPS request matches the entry inside this external resource file, it will be treated as the Remote Category and follow the action configured for this category in Web Filter profile.

External resource type category also can be used in ssl-ssh-profile configuration for category-based SSL-Exempt. When a Remote Category is configured in ssl-ssh-profile SSL-Exempt, if a HTTPS request’s URL matches in the Remote Category’s entry list, HTTPS request with destination for this URL can be exempted from SSL Deep Inspection. External Resources File Format

External Resources File should follow the following requirements:

  • The external resource file is a plain text format file and each URL list/IP Address/Domain Name occupies a single line. l The file is limited to 10M, line is limited 128K (128 x 1024 entries), and the line length limit is 4K characters. l The entries limited also follow table size limitation defined by CMDB per model. l The external resource update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The external resource type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total 30 categories). l There’s no duplicated entry validation for external resources file (entry inside each file or inside different files).

For URL list (Type=category):

Scheme is optional, and will be truncated if found (http://, https:// is not needed).

Wildcard (*) is supported (from 6.2). It supports the ‘*’ at beginning and ending of URL, and not in the middle of URL as follows:

+ support *.domain2.com, domain.com.* + not support: domain3.*.com IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).

IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.

Configure External Resources from CLI

We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global, configure the external resource file location and specify the resource type.

Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:

config system external-resource edit “Ext-Resource-Type-as-Category-1”

set type category <—-

set category 192 <—-

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-

1.txt” set refresh-rate 1

next

end

Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example above, URL list in “Ext-Resource-Type-as-Category-1.txt” file will be treated as remote category (category-id 192). Configure the action for this remote category in Web Filter profile and apply it in the policy:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 2 set action warning

next ……

edit 24 set category 192 <—set action block

next edit 25 set category 221 set action warning

next edit 26 set category 193

next

end

end

set log-all-url enable

next

end

config firewall policy edit 1 set name “WebFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set webfilter-profile “webfilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Configure External Resources from GUI

Configure, edit or view the Entries for external resources from GUI.

  1. GUI > Global > Fabric Connectors page:
  2. GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type FortiGuard
  3. GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.
  4. GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just configured. It is shown in the Edit Click View Entries to view the entry list in the external resources file:
  5. GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web

Filter Profile:

Log Example

If a HTTP/HTTPS request URL matched in Remote Category’s entry list, it will override its original FGD URL rating and it is treated as Remote Category.

GUI > VDOM > Log & Report > Web Filter:

CLI Example:

1: date=2019-01-18 time=15:49:15 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1547855353 policyid=1 sessionid=88922 srcip=10.1.100.18 srcport=39886 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=752 rcvdbyte=10098 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″

Remote Category in ssl-ssh-profile category-based SSL-Exempt

Remote Category can be applied in ssl-ssh-profile category-based SSL-Exempt.

GUI > VDOM > Security Profiles > SSL/SSH Inspection:

HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.

Log example:

3: date=2019-01-18 time=16:06:21 logid=”0345012688″ type=”utm” subtype=”webfilter” eventtype=”ssl-exempt” level=”information” vd=”vdom1″ eventtime=1547856379 policyid=1 sessionid=90080 srcip=10.1.100.18 srcport=39942 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”passthrough” reqtype=”direct” url=”/” sentbyte=517 rcvdbyte=0 direction=”outgoing” msg=”The SSL session was exempted.” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″ urlsource=”exempt_type_user_cat”

Local Category and Remote Category Priority

Web Filter can have both local category and remote category at the same time. There’s no duplication check between local category URL override and remote category resource file. For example, a URL like www.example.com may be shown both in remote category entry list and in FortiGate’s local category URL override configuration. We recommend avoiding this scenario since FortiGate does not check for duplicates. However, if a URL is duplicated in both local category and remote category, it is rated as local category.

Advanced Filters 2

Advanced Filters 2

Safe search

This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.

Supported search sites are: l Google l Yahoo l Bing l Yandex

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Search Engines
  2. Enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set safe-search url

end

next

end

YouTube education filters

Use these features to limit users’ access to YouTube channels, such as in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and Chromebooks..

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Search Engines
  2. Enable Restrict YouTube Access and select Strict or Moderate.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set youtube-restrict strict end

next

end

YouTube channel filtering

This web filtering feature is also called Restrict YouTube access to specific channels. Use this feature to block or only allow matching YouTube channels.

The following identifiers are used: given <channel-id>, affect on: www.youtube.com/channel/<channel-id> www.youtube.com/user/<user-id> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

www.youtube.com/watch?v=<string> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Proxy Options
  2. Enable Restrict YouTube access to specific channels.
  3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.
  4. Select OK and the option shows the Channel ID and its Link.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set youtube-channel-status whitelist <– whitlist: only allow the traffic belongs to this channel id and relative identifiers

blacklist: only block the traffic belongs to

this channel id and relative identifiers and allow the other traffic pass  config youtube-channel-filter

edit 1

set channel-id “UCGzuiiLdQZu9wxDNJHO_JnA”  next

end

next end

Log all search keywords

Use this feature to log all search phrases.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Search Engines
  2. Enable Log all search keywords.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set log-search enable

end

next

end

Restrict Google account usage to specific domains

Use this feature to block access to some Google accounts and services while allowing access to accounts in the domains in the exception list.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Proxy Options
  2. Enable Restrict Google account usage to specific domains.
  3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST Action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading to a web server.

The action options are Allow or Block. The default is Allow.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Proxy Options
  2. For HTTP POST Action, select Allow or Block.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set post-action [normal/block] config ftgd-wf unset options

end

next end

Remove Java applets, remove ActiveX, and remove cookies

The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function properly if you enable this filter.

The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly with if you enable this filter.

The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you enable this filter.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Proxy Options
  2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set options activexfilter cookiefilter javafilter <– enable one or more of activexfilter cookiefilter javafilter.

config ftgd-wf

unset options

end

next end

Advanced Filters 1

Advanced Filters 1

Block malicious URLs discovered by FortiSandbox

To use this feature, you must be registered to a FortiSandbox and be connected to it.

This feature blocks malicious URLs that FortiSandbox finds.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Block malicious URLs discovered by FortiSandbox.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set blacklist enable end

next

end

Allow websites when a rating error occurs

If you don’t have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard filter, then you’ll get a rating error message.

Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Allow websites when a rating erroroccurs.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options error-allow

end

next

end

Rate URLs by domain and IP address

If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always sends both the URL domain name and the TCP/IP packet’s IP address (except for private IP addresses) to FortiGuard for the rating.

FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiGate.

For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated as search engine and portals and not rated as government and legal organizations.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Rate URLs by domain and IP address.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options rate-server-ip

end

next

end

Block invalid URLs

Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.

For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written as: http://www.example.com/space%20here.html.

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Block invalid URLs .

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set options block-invalid-url

next

end

Rate images by URL

This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.

For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not blocked:

After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

To enable this feature in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Rating Options
  2. Enable Rate images by URL.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options set rate-image-urls enable

end

next

end

Web content filter of webfilter

Web content filter of webfilter

You can control access to web content by blocking web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards and Perl regular expressions to match content on web pages. You can use multiple web content filter lists and select the best web content filter list for each web filter profile.

Pattern type

When you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: wildcard and regular expression.

Wildcard

Use the wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and forticare.com. The * represents any character appearing any number of times.

Regular expression

Use the regular expression setting to block or exempt patterns of Perl expressions which use some of the same symbols as wildcard expressions but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

The maximum number of web content patterns in a list is 5000.

Content evaluation

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a web page is blocked by a single match.

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
  • The score for any word in a phrase without quotation marks is counted. l The score for a phrase in quotation marks is counted only if it appears exactly as written.

Sample of applying banned pattern rules

The following table is an example of how rules are applied to the contents of a web page. For example, a web page contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.

Banned

pattern

Assigned score Score added to the sum for the entire page Threshold score Comment
word 20 20 20 Appears twice but only counted once. Web page is blocked.
word phrase 20 40 20 Each word appears twice but only counted once giving a total score of 40. Web page is blocked.
word sentence 20 20 20 “word” appears twice, “sentence” does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. Web page is blocked.
“word sentence” 20 0 20 This phrase does not appear exactly as written. Web page is allowed.
“word or phrase” 20 20 20 This phrase appears twice but is counted only once. Web page is blocked.

Sample configuration

To configure web content filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable Content Filter to display its options.
  3. Select Create New to display the content filter options.
  4. For Pattern Type, select RegularExpression and enter fortinet in the Pattern
    • Leave Language as Western. l Set Action to Block.
    • Set Status to Enable.
  5. Select OK to see the updated Static URL Filter
  6. Validate the configuration by visiting a website with the word fortinet, for example, www.fortinet.com. The website is blocked and a replacement page displays.

To configure web content filter in the CLI:

  1. Create a content table:

config webfilter content

edit 1                           <– the id of this content

set name “webfilter”

config entries

edit “fortinet”            <– the banned word set pattern-type regexp  <– the type is regular expression set status enable set lang western

set score 10             <– the score for this word is 10 set action block

next

end

next end

  1. Attach the content table to the webfilter profile:

config webfilter profile

edit “webfilter”

config web

set bword-threshold 10  <– the threshold is 10

set bword-table 1       <– the id of content table we created in the previous step

end

config ftgd-wf

unset options

end

next end

Quota of webfilter

Quota of webfilter

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, and is calculated separately for each user. Quotas are reset everyday at midnight.

Quotas can be set only for the actions of Monitor, Warning, or Authenticate. When the quota is reached, the traffic is blocked and the replacement page displays.

Sample topology

Sample configuration of setting a quota

This example shows setting a time quota for a category, for example, the Education category.

To configure a quota in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Personal section by selecting the + icon beside it.
  3. Select Education and then select Monitor.
  4. In the Category Usage Quota section, select Create New.
  5. In the right pane, select the Category field and then select Education.
  6. For the Quota Type, select Time and set the Total quota to 5 minute(s).
  7. Select OK and the Category Usage Quota section displays the quota.
  8. Validate the configuration by visiting a website in the education category, for example https://www.harvard.edu/.

You can view websites in the education category.

  1. Check the used and remaining quota in Monitor> FortiGuard Quota.
  2. When the quota reaches its limit, traffic is blocked and the replacement page displays.

To configure a quota in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters

edit 1

set category 30 <– the id of education category  next

end

config quota

edit 1

set category 30

set type time

set duration 5m

next

end end

next

end

FortiGuard filter of webfilter

FortiGuard filter of webfilter

To use this service, you must have a valid subscription on your FortiGate.

FortiGuard filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories that users can allow or block.

FortiGuard web filtering services includes over 45 million individual website rating that applies to more than two billion pages. When FortiGuard filter is enabled in a webfilter and is applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard webfilter action

You can select one of the following FortiGuard webfilter actions:

FortiGuard webfilter Action Description
Allow Permit access to the sites in the category.
Block Prevent access to the sites in the category. Users trying to access a blocked site sees a replacement message indicating the site is blocked.
Monitor Permits and logs access to sites in the category. You can enable user quotas when you enable this action.
Warning Displays a message to the user allowing them to continue if they choose.
Authenticate Requires the user to authenticate with the FortiGate before allowing access to the category or category group.

FortiGuard webfilter categories

FortiGuard has many webfilter categories including two local categories and a special remote category. For more information on the different categories, see the table below.

FortiGuard webfilter category Where to find more information
All URL categories https://fortiguard.com/webfilter/categories.
Remote category External resources for webfilter on page 329.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of local category and not external or FortiGuard built-in category.

Sample configuration of blocking a web category

This example shows blocking a website based on its category (rating), for example, information technology.

To block a category in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Block.

To block a category in the CLI:

config webfilter profile

edit “webfilter”

config ftgd-wf

unset options

config filters

edit 1

set category 52    <– the pre-set id of “information technology” caterogy

set action block   <– set action to block  next

end

end

next end

To validate that you have blocked a category:

  1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page and the category that is blocked.

To view the log of a blocked website in the GUI:

  1. Go to Log & Report > Web Filter.

To view the log of a blocked website in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=13:46:25 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf=”wan2″ srcintfrole=”wan” dstip=54.183.57.55 dstport=80 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTP” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=386 rcvdbyte=0 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=52 catdesc=”Information Technology”

Sample configuration of issuing a warning

This example shows issuing a warning when a user visits a website based on its category (rating), for example, information technology.

To configure a warning in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Warning.
  4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to continue.

To configure a warning in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 52

set action warning  <– set action to warning

next

end

end

next end

To validate that you have configured the warning:

  1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page where you can choose to Proceed or Go Back.

Sample configuration of authenticating a web category

This example shows authenticating a website based on its category (rating), for example, information technology.

To authenticate a category in the GUI:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Open the General Interest -Business section by clicking the + icon beside it.
  3. Select Information Technology and then select Authenticate.
  4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
  5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this feature.

To authenticate a category in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters edit 1

set category 52

set action authenticate         <– set the action of authenticate set auth-usr-grp “local_group”  <– user to authenticate

next

end end

next

end

To validate that you have configured authentication:

  1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page where you can choose to Proceed or Go Back.
  2. Click Proceed to check that the authentication page appears.
  3. Enter the username and password of the user group you selected, and click Continue.

If the credentials are correct, the traffic is allowed through.

Sample customization of the replacement page

When the FortiGuard webfilter action is Block, Warning, or Authenticate, there is a Customize option for you to customize the replace page.

To customize the replace page:

  1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
  2. Right-click the item and select Customize.
  3. A pane appears for you to customize the page.

URL filter of webfilter

URL filter of webfilter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable URL Filter.
  3. Under URL Filter, select Create New to display the New URL Filter
URL Filter Type Description
Simple FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won’t match facebook.com or message.facebook.com.

When FortiGate finds a match, it performs the selected URL Action.

URL Filter Type Description
Regular

Expression or

Wildcard

FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, etc.

When FortiGate finds a match, it performs the selected URL Action.

For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

URL Filter Action Description
Block Denies or blocks attempts to access any URL matching the URL pattern. FortiGate displays a replacement message.
Allow The traffic is passed to the remaining FortiGuard webfilters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established.
Exempt The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters, web script filters, antivirus scanning, and DLP proxy operations
  1. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter edit {id}

# Configure URL filter lists. set name {string} Name of URL filter list. size[35] config entries edit {id}

# URL filter entries. set url {string} URL to be filtered. size[511] set type {simple | regex | wildcard} Filter type (simple, regex, or wildcard).

simple    Simple URL string.

regex    Regular expression URL string.

wildcard Wildcard URL string.

set action {exempt | block | allow | monitor} Action to take for URL filter

matches. exempt Exempt matches. block      Block matches. allow   Allow matches (no log).

monitor Allow matches (with log).

set status {enable | disable} Enable/disable this URL filter.

set exempt {option} If action is set to exempt, select the security profile oper-

ations that exempt URLs skip. Separate multiple options with a space. av   AntiVirus scanning. web-content  Web filter content matching. activex-java-cookie ActiveX, Java, and cookie filtering. dlp   DLP scanning. fortiguard   FortiGuard web filtering. range-block Range block feature. pass  Pass single connection from all.

all                 Exempt from all security profiles.

set referrer-host {string} Referrer host name. size[255]

next

next

end

To create URL filter to filter Facebook using the CLI:

config webfilter urlfilter edit 1 set name “webfilter” config entries edit 1 set url “*facebook.com” set type wildcard set action block

next

end

next

end

To attach the URL filter to a webfilter profile:

config webfilter profile edit “webfilter”               <– the name of the webfilter profile config web set urlfilter-table 1 <– the URL filter created with ID number 1

end config ftgd-wf unset options

end

next

end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Edit the policy that you want to enable the webfilter.
  3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:

config firewall policy edit 1 set name “WF”

set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad

set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all

set webfilter-profile “webfilter”    <– attach the webfilter profile you just

created. set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:

  1. Go to System > Replacement Messages.
  2. Go to the Security section and select URL Block Page.
  3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:

  1. Go to Log & Report > Web Filter.
  2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the

URL filter.

To check webfilter logs in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid=”0315012544″ type=”utm” subtype=”webfilter” eventtype=”urlfilter” level=”warning” vd=”vdom1″ eventtime=1555958923322174610 urlfilteridx=0 urlsource=”Local URLfilter Block” policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf=”wan2″ srcintfrole=”wan” dstip=157.240.18.35 dstport=443 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTPS” hostname=”www.facebook.com” profile=”webfilter” actionn=”blocked” reqtype=”direct” url=”/” sentbyte=1171 rcvdbyte=141 direction=”outgoing” msg=”URL was blocked because it is in the URL filter list” crscore=30 craction=8 crlevel=”high”