Web filter

This section describes how to configure web filters for HTTP traffic and configure URL filters to allow or block caching of specific URLs.

After you configure a web filter profile, you can apply it to a policy. A profile is specific information that defines how the traffic within a policy is examined and what action can be taken based on the examination.

To configure web filter profiles, go to Security Profiles > Web Filter. The Edit Web Filter Profile page opens.

Configure the following settings and then select Apply to save your changes:

Name The name of the web filter profile.
Comments Optional description of the profile.
FortiGuard category based filter Enable FortiGuard categories. If the device is not licensed for the FortiGuard web-filtering service, traffic can be blocked by enabling this option.
Parental control; allow highest rated content Select Custom, G, PG-13, or R.
Show Select which filter to use to display the FortiGuard categories: All, Allow, Authenticate, Block, Monitor, or Warning. You can enter a category to search for.
Category Usage Quota For categories set to Monitor, Warning, or Authenticate, you can create a category usage quota by selecting Create New.
Allow users to override blocked categories Enable this option if you want users to be able to override blocked categories.
Groups that can override Select the user groups that will be able to override blocked categories.

This option is available only if Allow users to override blocked categories is enabled.
Profile can switch to Select which web filter profile to change blocked categories to.

This option is available only if Allow users to override blocked categories is enabled.
Switch applies to Select whether the new web filter profile applies to a User, User Group, or IP or whether to Ask. The user or user group must be specified as the Source in firewall policies using this profile.

This option is available only if Allow users to override blocked categories is enabled.
Switch Duration Select whether blocked categories can be overridden for a predefined period or to Ask.

This option is available only if Allow users to override blocked categories is enabled.
Day(s)/Hour(s)/Minute(s) Select how long users can override blocked categories.

This option is available only if Allow users to override blocked categories is enabled and the Switch Duration is set to Predefined.
Search Engines
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex Enable to use predefined web filter rules to edit web profiles and provide safe search for Google, Bing, and YouTube.
Restrict YouTube Access Enable and then select the Strict or Moderate level of restriction for YouTube access.
Log all search keywords Enable if you want all search keywords logged.
Static URL Filter
Block invalid URLs Enable to block web sites when their SSL certificate CN field does not contain a valid domain name.
URL Filter Enable and then create or edit a URL filter. See URL filters.
Block malicious URLs discovered by FortiSandbox Enable to block malicious URLs discovered by FortiSandbox.
Web Content Filter Enable and then create or edit a web content filter to block access to web pages that include the specified patterns. See Web content filters.
Rating Options
Allow websites when a rating error occurs Enable to allow access to web pages that return a rating error from the web filter service.

If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.
Rate URLs by domain and IP Address Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This difference can sometimes cause the unit to allow access to sites that should be blocked or to block sites that should be allowed.
Rate images by URL Enable to have the FortiProxy unit retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.

Blocked images are replaced on the originating web pages with blank placeholders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.
Proxy Options
Restrict Google account usage to specific domains This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.
Provide details for blocked HTTP 4xx and 5xx errors Enable to have the FortiProxy unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.
HTTP POST Action Select whether to Allow or Block HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
Remove Java Applets Enable to filter Java applets from web traffic. Web sites using Java applets might not function properly with this filter enabled.
Remove ActiveX Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX might not function properly with this filter enabled.
Remove Cookies Enable to filter cookies from web traffic. Web sites using cookies might not function properly with this enabled.

Web filter profile list

The web filter profile list can be viewed by selecting the List icon (the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) in the Edit Web Filter Profile page toolbar.

Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Create a new web filter profile. See To create a new web filter profile:.
Edit Modify the selected web filter profile. See To edit a web filter profile:.
Clone Make a copy of the selected web filter profile. See To clone a web filter profile:.
Delete Remove the selected web filter profile. See To delete a profile or profiles:.
Search Enter a search term to search the web filter profile list.
Name The name of the web filter profile.
Comments An optional description of the web filter profile.
Ref. Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.

Web filter profiles can be added, edited, cloned and deleted as required.

To create a new web filter profile:
  1. Go to Security Profiles > Web Filter and select Create New (a plus sign in a circle) from the toolbar.
  2. Enter the required information and then select OK to create the new web filter profile.
To edit a web filter profile:
  1. Go to Security Profiles > Web Filter, select the List icon (the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) from the toolbar.
  2. Select the profile you want to edit and then select Edit from the toolbar or double-click on the profile name in the list.
    The Edit Web Filter Profile window opens.
  3. Edit the information as required and then select Apply to save your changes.
To clone a web filter profile:
  1. Go to Security Profiles > Web Filter, select the List icon (the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) from the toolbar.
  2. Select the profile you need to clone and then select Clone from the toolbar.
  3. Enter a name for the cloned profile in the dialog box and then select OK.
    The profile list opens with the clone added.
  4. Edit the clone as needed and then select Apply to save your changes.
To delete a profile or profiles:
  1. Go to Security Profiles > Web Filter, select the List icon (the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) from the toolbar.
  2. Select the profile or profiles that you want to delete.
  3. Select Delete from the toolbar.
  4. Select OK in the confirmation dialog box to delete the selected profile or profiles.

Web content filters

Web content filters can be added, edited, and deleted as required.

To create a new web content filter:
  1. Go to Security Profiles > Web Filter.
  2. In the Static URL Filter section, enable Web Content Filter.
  3. Select Create New.
  4. Select the Pattern Type, either Wildcard or Reg. Expression.
  5. Enter the content Pattern to match.
  6. Select the Language from the drop-down menu.
  7. Select Block or Exempt.
  8. Enable the Status.
  9. Select OK.
To edit a web content filter:
  1. Go to Security Profiles > Web Filter.
  2. In the Static URL Filter section, enable Web Content Filter.
  3. Select the filter you want to edit and then select Edit from the toolbar.
    The Edit Web Content Filter window opens.
  4. Edit the information as required and then select OK to apply your changes.
To delete a web content filter or filters:
  1. Go to Security Profiles > Web Filter.
  2. In the Static URL Filter section, enable Web Content Filter.
  3. Select the filter or filters that you want to delete.
  4. Select Delete from the toolbar.
  5. Select OK in the confirmation dialog box to delete the selected filter or filters.

URL filters

You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by using patterns containing text and regular expressions. The FortiProxy unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.

Web site blocking does not block access to other services that users can access with a web browser. For example, web site blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections.

When adding a URL to the web site filter list, follow these rules:

URLs with an action set to exempt or pass are not scanned for viruses. If users on the network download files through the FortiProxy unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it, so the unit does not scan files downloaded from this URL.
To create a new URL filter:
  1. Go to Security Profiles > Web Filter.
  2. Enable URL Filter.
  3. In the URL Filter table, select Create.
    The New URL Filter dialog box opens.
  4. Enter the URL to filter in the URL field. Enter a top-level domain suffix (for example, “com” without the leading period) to block access to all web sites with this suffix.
  5. Select the type of pattern to match. One of: Simple, Reg. Expression, or Wildcard.
  6. Select the action to take when the pattern is matched:
  7. Enable or disable the status of the filter to make the filter active or inactive.
  8. Select OK to save the URL filter.
  9. Select Apply in the Edit Web Filter Profile page to save the changes to the web filter.
To edit a URL filter:
  1. Go to Security Profiles > Web Filter and enable URL Filter.
  2. In the URL Filter table, double-click on a filter or select the filter and then select Edit in the toolbar.
  3. Edit the filter settings as required.
  4. Select OK to save your changes to the URL filter.
  5. Select Apply in the Edit Web Filter Profile page to save the changes to the web filter.
To delete a URL filter or filters:
  1. Go to Security Profiles > Web Filter and enable URL Filter.
  2. In the URL Filter table, select the filter or filters that need to be deleted and then select Delete in the toolbar.
  3. Select OK in the confirmation dialog box to delete the selected filter or filters.

Open topic with navigation