webfilter : profile
 
profile
Use this command to configure UTM web filtering profiles for firewall policies. Web filtering profiles configure how web filtering and FortiGuard Web Filtering is applied to sessions accepted by a firewall policy that includes the web filter profile.
Syntax
config webfilter profile
edit <name_str>
set comment <comment_str>
set https-replacemsg {enable | disable}
set inspection-mode {dns | flow-based | proxy}
set log-all-url {enable | disable}
set options {activexfilter | block‑invalid-url | cookiefilter | intrinsic | javafilter | js | jscript | rangeblock | unknown | vbs | wf-cookie | wf‑referer}
set ovrd-perm {bannedword‑override | contenttype‑check‑override | fortiguard-wf-override | urlfilter-override}
set post-action {normal | comfort | block}
set replacemsg-group <string>
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-url-log {enable | disable}
config ftgd-wf
set category‑override <category_str>
set exempt-quota {all | <category_str>}
set max-quota-timeout <integer>
Set options {connect‑request‑bypass | error‑allow | ftgd‑disable | http‑err‑detail | rate‑server‑ip | redir‑block}
set ovrd <id>/g<id>
set rate-crl-urls
set rate-css-urls
set rate-image-urls
set rate-javascript-urls
Variables for config filters
edit <id_str>
set action {authenticate | block | monitor | warning}
set auth-usr-group [group1 ...groupn]
set category {category_int group_str}
set log {enable | disable}
set warn-duration <dur_string>
end
config quota
edit <id>
set category <id>
set duration <dur_str>
set type {time | traffic}
set unit {B | GB | KB | MB}
set value <int>
end
end
config override
set ovrd-dur <###d##h##m>
set ovrd-dur-mode {ask | constant}
set ovrd-scope {ask | ip | user | user‑group}
set ovrd-user-group <groupname_str> [<groupname_str>...]
set profile <web_profile>
set profile-attribute <attribute_str>
set profile-type {list | radius}
end
config web
set bword-threshold <threshold_int>
set bword-table <filter_list_name>
set urlfilter-table <url_list_name>
set content-header-list <list_number>
set keyword-match <pattern_str>
set log-search {enable | disable}
set safe-search {url | header}
set urlfilter-table <url_list_name>
set youtube-edu-filter-id <accountid_int>
end
end
Variable
Description
Default
<name_str>
Enter the name of the web filtering profile.
 
comment <comment_str>
Optionally enter a description of up to 63 characters of the web filter profile.
Null
https-replacemsg {enable | disable}
Enable replacement message display for non-deep SSL inspection.
enable
inspection-mode {dns | flow-based | proxy}
Web filtering inspection mode.
proxy
log-all-url {enable | disable}
Enable to log all URLs, even if FortiGuard is not enabled.
disable
options {activexfilter | block‑invalid-url | cookiefilter | intrinsic | javafilter | js | jscript | rangeblock | unknown | vbs | wf-cookie | wf‑referer}
Select one or more options apply to web filtering. To select more than one, enter the option names separated by a space. Some options are only available for some protocols.
activexfilter — block ActiveX plugins.
block-invalid-url — block web pages with an invalid domain name.
cookiefilter — block cookies.
intrinsic — block intrinsic scripts.
javafilter — block Java applets.
js — block JavaScript applets.
jscript — block JavaScript applets.
rangeblock — block downloading parts of a file that have already been partially downloaded. Selecting this option prevents the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.
unknown — block unknown scripts.
vbs — block VB scripts.
wf-cookie — block the contents of the HTTP header “Cookie”.
wf-referer — block the contents of the HTTP header “Referer”.
Separate multiple options with a space.To remove an option from the list or add an option to the list, retype the list with the option removed or added.
 
ovrd-perm {bannedword‑override | contenttype‑check‑override | fortiguard-wf-override | urlfilter-override}
Override permit options:
bannedword‑override — content block
contenttype‑check‑override — filter based on content-type header override
fortiguard-wf-override — FortiGuard Web Filter block override
urlfilter-override — web url filter override
null
post-action {normal | comfort | block}
Select the action to take with HTTP POST traffic. This option is available for HTTPS
normal — do not affect HTTP POST traffic.
comfort — use the comfort-interval and comfort-amount http options of thefirewall profile-protocol-options to send comfort bytes to the server in case the client connection is too slow. Select this option to prevent a server timeout when scanning or other filtering tool is turned on.
block — block HTTP POST requests. When the post request is blocked the FortiGate unit sends the http-post-block replacement message to the user’s web browser.
normal
replacemsg-group <string>
Enable or disable rating CRL by URL.
Null
web-content-log {enable | disable}
Enable or disable logging for web content blocking.
enable
web-filter-activex-log {enable | disable}
Enable or disable logging for activex script web filtering.
enable
web-filter-applet-log {enable | disable}
Enable or disable logging for applet script web filtering.
enable
web-filter-command-block-log {enable | disable}
Enable or disable logging of web filter command block messages.
enable
web-filter-cookie-log {enable | disable}
Enable or disable logging for cookie script web filtering.
enable
web-filter-cookie-removal-log {enable | disable}
Enable or disable logging for web filter cookie blocking.
enable
web-filter-js-log {enable | disable}
Enable or disable logging for web script filtering on javascripts.
enable
web-filter-jscript-log {enable | disable}
Enable or disable logging for web script filtering on JScripts.
enable
web-filter-referer-log {enable | disable}
Enable or disable logging for webfilter referer block.
enable
web-filter-unknown-log {enable | disable}
Enable or disable logging for web script filtering on unknown scripts.
enable
web-filter-vbs-log {enable | disable}
Enable or disable logging for web script filtering on VBS scripts.
enable
web-ftgd-err-log {enable | disable}
Enable or disable logging for FortiGuard Web Filtering rating errors.
enable
web-ftgd-quota-usage {enable | disable}
Enable or disable logging for FortiGuard Web Filtering daily quota usage.
enable
web-invalid-domain-log {enable | disable}
Enable or disable logging for web filtering of invalid domain names.
enable
web-url-log {enable | disable}
Enable or disable logging for web URL filtering.
enable