Best practices for URL filtering can be divided into four categories: flow-based versus proxy based filtering; local category/rating feature; URL filter ‘Exempt’ action; and Deep Scan.
Flow-based versus proxy-based
Try to avoid mixing flow-based and proxy-based features in the same profile if you are not using IPS or Application Control.
Local category/rating feature
Local categories and local rating features consume a large amount of CPU resources, so use these features as little as possible. It is better to use Local categories instead of using the ‘override’ feature, since the ‘override’ feature is more complicated and more difficult to troubleshoot.
URL filter ‘Exempt’ action
When using the URL filter ‘Exempt’ option, webfilter, antivirus and dlp scans are bypassed by default, so use this option only for trusted sites.
Configuration notes: You need to configure ‘Exempt’ actions in the URL filter if you want to bypass the FortiGuard Web Filter.You can configure which particular inspection(s) you want to bypass using the
set exempt command in
config webfilter urlfilter.
The ‘Deep Scan’ feature is much heavier on resources than ‘HTTPS URL Scan Only’. Deep Scan is much more accurate, since many sites (such as various Google applications) cannot be scanned separately without deep scanning enabled.
Note: If you configure Deep Scan in the SSL profile and then configure ‘Enable HTTPS URL Scan Only’ in the web filter profile, then Deep Scan is not performed.