How to configure and apply DNS filter profile

To create or configure DNS Filter profile in the GUI:

1. Go to Security Profiles > DNS Filter.
2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS filter.

To create or configure DNS Filter profile in the CLI:

config dnsfilter profile edit “demo”

set comment ” config domain-filter

unset domain-filter-table

end config ftgd-dns set options error-allow config filters

edit 2

set category 2 set action monitor

next edit 7

set category 7 set action block

next …

edit 22

set category 0 set action monitor

next end

end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action redirect set block-botnet enable set safe-search enable set redirect-portal 93.184.216.34 set redirect-portal6 ::

set youtube-restrict strict

next

end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:

1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.
2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:

config firewall policy edit 1 set name “Demo” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all set fsso disable set dnsfilter-profile “demo” <<<==== set profile-protocol-options “default” set ssl-ssh-profile “deep-inspection”

set nat enable

next

end

Introduction to DNS Filter

Most people who use the Internet use domain names. For example, people who access the Fortinet website type www.fortinet.com into their web browser. However, on the Internet, all websites, computers, or devices actually use IP addresses to locate the destination.

Internet uses DNS (Domain Name System) to translate domain names into IP addresses. For example, when you type www.fortinet.com into your web browser, DNS maps this domain name to Fortinet’s IP address to locate the Fortinet website on the Internet.

If you cannot see DNS Filter under Security Profiles, go to System > Feature Visibility > Security Features section and enable DNS Filter.

DNS primarily uses the UDP protocol on port 53 to serve the address resolve requests.

The FortiGate DNS Filter inspects the UDP protocol on port 53 traffic that traverse FortiGate, and based on the DNS Filter profile configuration, makes the Allow/Monitor/Block or Redirect decision for the inspected traffic.

FortiGate DNS Filter has the following features:

• FortiGuard Filtering: filtering the DNS request based on the domain’s FortiGuard rating. l Botnet C&C Domain Blocking: block the DNS request for the known Botnet C&C domains.
• External Dynamic Category Domain Filtering: define your own domain category. l DNS Safe Search: Enforce Google, Bing, and YouTube safe addresses for parental controls. l Local Domain Filter: define your own domain list to block or allow.
• External IP Block List: define your IP block list to block resolved IPs that match this list. l DNS Translation: map the resolved result to another IP you define.

Sample topology

The topics in this section use the following sample topology to explain how these DNS Filter features work and how to configure it. In this sample topology, there is an internal network and a FortiGate used as a gateway device, with all DNS traffic traversing the FortiGate.

Reliable webfilter statistics

Introduction

FortiOS 6.2.0 provides command line tools to view the webfilter statistics report. These command line tools currently fall into either proxy-based or flow-based webfilter statistics commands.

Proxy-based webfilter statistics report

l The proxy-based webfilter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.

#diagnose wad filter <—-define the interested objects for output (global) # diag wad ? console-log   Send WAD log messages to the console. debug  Debug setting. stats       Show statistics.

filter    Filter for listing sessions or tunnels. <—-use filter to filter-out interested object and output kxp    SSL KXP diagnostics. user  User diagnostics. memory    WAD memory diagnostics.

restore   Restore configuration defaults. history   Statistics history. session   Session diagnostics. tunnel       Tunnel diagnostics. webcache  Web cache statistics. worker    Worker diagnostics. csvc   Cache service diagnostics.

#diagnose wad stat filter list/clear <—-list/clear WebFiltering/DLP statistics report l In the example below, there are two VDOMs using proxy-based policies which have webfilter profiles enabled. The command line can be used to view the proxy-based webfilter statistics report.

(global) # diag wad filter ? list   Display current filter. clear     Erase current filter settings. src      Source address range to filter by. dst     Destination address range to filter by.

sport     Source port range to filter by. dport   Destination port range to filter by. vd   Virtual Domain Name. <—-filter for per-vdom or global statistics report explicit-policy   Index of explicit-policy. -1 matches all. firewall-policy Index of firewall-policy. -1 matches all. drop-unknown-session   Enable drop message unknown sessions. negate   Negate the specified filter parameter. protocol    Select protocols to filter by.

FGT_600D-ICAP-NAT (global) # diag wad filter vd <vdom>    Virtual Domain Name. ALL   all vdoms root      vdom vdom1 vdom

FGT_600D-ICAP-NAT (global) # diag wad filter vd root <—-filter-out root vdom statistics

Drop_unknown_session is enabled.

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom root <—-Displayed the WF statistics for root vdom

dlp          = 0     <—-Number of Reuqest that DLP Sensor processed;

content-type = 0     <—-Number of Reuqest that matching content-type filter;

overridden = 0 <—-Number of Request that be overrided to another webfilter

profile in the examined requests;

FGT_600D-ICAP-NAT (global) # diag wad filter vd vdom1 <—-filter-out vdom1 statistics

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom vdom1 <—-Displayed the WF statistics for vdom1 dlp   = 0 content-type = 0 urls:

examined = 13 allowed = 2 blocked = 9 logged = 8 overridden = 0 FGT_600D-ICAP-NAT (global) # diag wad filter vd ALL

FGT_600D-ICAP-NAT (global) # diag wad stats filter list

filtering of all accessible vdoms <—-global statistics is sum of two VDOMs dlp     = 0 content-type = 0 urls:

examined = 19 allowed = 5 blocked = 9 logged = 8 overridden = 0

Flow-based webfilter statistics report

• The flow-based webfilter statistics command line tools are as follows. These commands are available in global command lines only.

(global) # diag test app ipsmonitor IPS Engine Test Usage:

• In the example below, there are two VDOMs using flow-based policies which have webfilter profiles enabled. The command line can be used to view the flow-based webfilter statistics report.

(global) # diag test app ipsmonitor 29 Global URLF states: request: 14 <—-Number of Requests that Flow Web-Filter(all ips engines) received; response: 14 <—-Number of Response that Flow Web-Filter(all ips engines) sent; pending: 0       <—-Number of Requests that under processing at that moment; request error: 0       <—-Number of Request that have error; response timeout: 0 <—-Number of response that ips engine not been received in-

time;

blocked: 12    <—-Number of Request that Flow Web-Filter blocked; allowed: 2  <—-Number of Request that Flow Web-Filter allowed;

File filter for webfilter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Web filter profile supports the following file types:

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.

To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the CLI example below, we want to file filter the following using Web filter profile:

1. Block PDFs from entering our leaving our network (filter1).
2. Log the download of some graphics file-types via HTTP (filter2).
3. Block EXE files from leaving to our network via FTP (filter3).

set direction any <– Inspect both incoming and outgoing traffic set encryption any    <– Inspect both encrypted and un-encrypted

files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”

set protocol http <– Inspect only HTTP traffic set action log   <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any

set file-type “jpeg” “png” “gif” <– Multiple file types can be configured

in a single entry

next edit “filter3” set comment “Block upload of EXE files”

set protocol ftp  <– Inspect only FTP traffic set action log

set direction outgoing   <– Inspect only outgoing traffic set encryption any set file-type “exe”

next

end

end

end

After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:

config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Log Example

GUI > VDOM > Log & Report > Web Filter:

External resources for webfilter

Introduction

External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as web filter’s remote categories, DNS filter’s remote categories, policy address objects or AntiVirus profile’s malware definitions. If the external resource is updated, FortiGate objects will update dynamically.

External Resource are categorized into 4 types:

• URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

For Web Filter profile, it can use category type external resources. Category type external resources file is a URL entries list in a plain text file.

When a category type external resource is configured in Web Filter profile, it will be treated as a Remote Category. If the URL in a HTTP/HTTPS request matches the entry inside this external resource file, it will be treated as the Remote Category and follow the action configured for this category in Web Filter profile.

External resource type category also can be used in ssl-ssh-profile configuration for category-based SSL-Exempt. When a Remote Category is configured in ssl-ssh-profile SSL-Exempt, if a HTTPS request’s URL matches in the Remote Category’s entry list, HTTPS request with destination for this URL can be exempted from SSL Deep Inspection. External Resources File Format

External Resources File should follow the following requirements:

• The external resource file is a plain text format file and each URL list/IP Address/Domain Name occupies a single line. l The file is limited to 10M, line is limited 128K (128 x 1024 entries), and the line length limit is 4K characters. l The entries limited also follow table size limitation defined by CMDB per model. l The external resource update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
• The external resource type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total 30 categories). l There’s no duplicated entry validation for external resources file (entry inside each file or inside different files).

For URL list (Type=category):

Scheme is optional, and will be truncated if found (http://, https:// is not needed).

Wildcard (*) is supported (from 6.2). It supports the ‘*’ at beginning and ending of URL, and not in the middle of URL as follows:

+ support *.domain2.com, domain.com.* + not support: domain3.*.com IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).

IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.

Configure External Resources from CLI

We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global, configure the external resource file location and specify the resource type.

Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:

config system external-resource edit “Ext-Resource-Type-as-Category-1”

set type category <—-

set category 192 <—-

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-

1.txt” set refresh-rate 1

next

end

Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example above, URL list in “Ext-Resource-Type-as-Category-1.txt” file will be treated as remote category (category-id 192). Configure the action for this remote category in Web Filter profile and apply it in the policy:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 2 set action warning

next ……

edit 24 set category 192 <—set action block

next edit 25 set category 221 set action warning

next edit 26 set category 193

next

end

end

set log-all-url enable

next

end

config firewall policy edit 1 set name “WebFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set webfilter-profile “webfilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Configure External Resources from GUI

Configure, edit or view the Entries for external resources from GUI.

1. GUI > Global > Fabric Connectors page:
2. GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type FortiGuard
3. GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.
4. GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just configured. It is shown in the Edit Click View Entries to view the entry list in the external resources file:
5. GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web

Filter Profile:

Log Example

If a HTTP/HTTPS request URL matched in Remote Category’s entry list, it will override its original FGD URL rating and it is treated as Remote Category.

GUI > VDOM > Log & Report > Web Filter:

CLI Example:

1: date=2019-01-18 time=15:49:15 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1547855353 policyid=1 sessionid=88922 srcip=10.1.100.18 srcport=39886 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=752 rcvdbyte=10098 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″

Remote Category in ssl-ssh-profile category-based SSL-Exempt

Remote Category can be applied in ssl-ssh-profile category-based SSL-Exempt.

GUI > VDOM > Security Profiles > SSL/SSH Inspection:

HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.

Log example:

3: date=2019-01-18 time=16:06:21 logid=”0345012688″ type=”utm” subtype=”webfilter” eventtype=”ssl-exempt” level=”information” vd=”vdom1″ eventtime=1547856379 policyid=1 sessionid=90080 srcip=10.1.100.18 srcport=39942 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”passthrough” reqtype=”direct” url=”/” sentbyte=517 rcvdbyte=0 direction=”outgoing” msg=”The SSL session was exempted.” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″ urlsource=”exempt_type_user_cat”

Local Category and Remote Category Priority

Web Filter can have both local category and remote category at the same time. There’s no duplication check between local category URL override and remote category resource file. For example, a URL like www.example.com may be shown both in remote category entry list and in FortiGate’s local category URL override configuration. We recommend avoiding this scenario since FortiGate does not check for duplicates. However, if a URL is duplicated in both local category and remote category, it is rated as local category.

Advanced Filters 2

Safe search

This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.

Supported search sites are: l Google l Yahoo l Bing l Yandex

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set safe-search url

end

next

end

YouTube education filters

Use these features to limit users’ access to YouTube channels, such as in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and Chromebooks..

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Restrict YouTube Access and select Strict or Moderate.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set youtube-restrict strict end

next

end

YouTube channel filtering

This web filtering feature is also called Restrict YouTube access to specific channels. Use this feature to block or only allow matching YouTube channels.

The following identifiers are used: given <channel-id>, affect on: www.youtube.com/channel/<channel-id> www.youtube.com/user/<user-id> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

www.youtube.com/watch?v=<string> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Enable Restrict YouTube access to specific channels.
3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.
4. Select OK and the option shows the Channel ID and its Link.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set youtube-channel-status whitelist <– whitlist: only allow the traffic belongs to this channel id and relative identifiers

blacklist: only block the traffic belongs to

this channel id and relative identifiers and allow the other traffic pass  config youtube-channel-filter

edit 1

set channel-id “UCGzuiiLdQZu9wxDNJHO_JnA”  next

end

next end

Log all search keywords

Use this feature to log all search phrases.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Log all search keywords.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set log-search enable

end

next

end

Restrict Google account usage to specific domains

Use this feature to block access to some Google accounts and services while allowing access to accounts in the domains in the exception list.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Enable Restrict Google account usage to specific domains.
3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST Action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading to a web server.

The action options are Allow or Block. The default is Allow.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. For HTTP POST Action, select Allow or Block.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set post-action [normal/block] config ftgd-wf unset options

end

next end

Remove Java applets, remove ActiveX, and remove cookies

The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function properly if you enable this filter.

The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly with if you enable this filter.

The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you enable this filter.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set options activexfilter cookiefilter javafilter <– enable one or more of activexfilter cookiefilter javafilter.

config ftgd-wf

unset options

end

next end