webfilter : urlfilter
 
urlfilter
Use this command to control access to specific URLs by adding them to the URL filter list. The FortiGate unit exempts or blocks Web pages matching any specified URLs and displays a replacement message instead.
Configure the FortiGate unit to allow, block, or exempt all pages on a website by adding the top-level URL or IP address and setting the action to allow, block, or exempt.
Block individual pages on a website by including the full path and filename of the web page to block. Type a top-level URL or IP address to block access to all pages on a website. For example, www.example.com or 172.16.144.155 blocks access to all pages at this website.
Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.example.com/news.html or 172.16.144.155/news.html blocks the news page on this website.
To block all pages with a URL that ends with example.com, add example.com to the block list. For example, adding example.com blocks access to www.example.com, mail.example.com, www.finance.example.com, and so on.
Use this command to exempt or block all URLs matching patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on. The FortiGate unit exempts or blocks Web pages that match any configured pattern and displays a replacement message instead.
Syntax
config webfilter urlfilter
edit <list_int>
set name <list_str>
set comment <comment_str>
set one-arm-ips-urlfilter {enable | disable}
config entries
edit <entry_id>
set url <url_str>
set action {allow | block | exempt | monitor}
set exempt {all activex‑java‑cookie av dlp fortiguard pass range-block web‑content}
set referrer-host <ref_str>
set status {enable | disable}
set type {simple | regex | wildcard}
set web-proxy-profile <profile_name>
end
end
Variable
Description
Default
<list_int>
A unique number to identify the URL filter list.
 
name <list_str>
The name of the URL filter list.
 
comment <comment_str>
The comment attached to the URL filter list.
 
one-arm-ips-urlfilter {enable | disable}
Enable or disable IPS URL filter.
disable
<entry_id>
A unique number to identify the entry.
 
url <url_str>
The URL for this entry.
 
action {allow | block | exempt | monitor}
The action to take for matches.
An allow match exits the URL filter list and checks the other web filters.
A block match blocks the URL and no further checking will be done.
An exempt match stops all further checking including AV scanning for the current HTTP session, which can affect multiple URLs.
A monitor match passes the URL and generates a log message. The request is still subject to other UTM inspections.
exempt
exempt {all activex‑java‑cookie av dlp fortiguard pass range-block web‑content}
Enter the types of scanning to skip for the exempt URLs:
all — Exempt from all.
activex‑java‑cookie — activeX, Java, and cookies
av — antivirus scanning
dlp — DLP scanning
fortiguard — FortiGuard web filtering
pass — pass single connection from all.
range-block — do not allow range-block
web‑content — web filter content matching
activex‑java‑cookie all av dlp fortiguard range‑block web‑content
referrer-host <ref_str>
Referrer host name.
null
status {enable | disable}
The status of the filter.
enable
type {simple | regex | wildcard}
The type of URL filter: simple, regular expression, or wildcard.
simple
web-proxy-profile <profile_name>
Optionally, apply a web proxy profile to the header content. This is available when action is allow or monitor.
No default.