This section describes how to configure web filters for HTTP traffic and configure URL filters to allow or block caching of specific URLs.
After you configure a web filter profile, you can apply it to a policy. A profile is specific information that defines how the traffic within a policy is examined and what action can be taken based on the examination.
To configure web filter profiles, go to Security Profiles > Web Filter. The Edit Web Filter Profile page opens.
Configure the following settings and then select Apply to save your changes:
Name | The name of the web filter profile. | |
Comments | Optional description of the profile. | |
FortiGuard category based filter | Enable FortiGuard categories. If the device is not licensed for the FortiGuard web-filtering service, traffic can be blocked by enabling this option. | |
Parental control; allow highest rated content | Select Custom, G, PG-13, or R. | |
Show | Select which filter to use to display the FortiGuard categories: All, Allow, Authenticate, Block, Monitor, or Warning. You can enter a category to search for. | |
Category Usage Quota | For categories set to Monitor, Warning, or Authenticate, you can create a category usage quota by selecting Create New. | |
Allow users to override blocked categories | Enable this option if you want users to be able to override blocked categories. | |
Groups that can override | Select the user groups that will be able to override blocked categories. This option is available only if Allow users to override blocked categories is enabled. |
|
Profile can switch to | Select which web filter profile to change blocked categories to. This option is available only if Allow users to override blocked categories is enabled. |
|
Switch applies to | Select whether the new web filter profile applies to a User, User Group, or IP or whether to Ask. The user or user group must be specified as the Source in firewall policies using this profile. This option is available only if Allow users to override blocked categories is enabled. |
|
Switch Duration | Select whether blocked categories can be overridden for a predefined period or to Ask. This option is available only if Allow users to override blocked categories is enabled. |
|
Day(s)/Hour(s)/Minute(s) | Select how long users can override blocked categories. This option is available only if Allow users to override blocked categories is enabled and the Switch Duration is set to Predefined. |
|
Search Engines | ||
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex | Enable to use predefined web filter rules to edit web profiles and provide safe search for Google, Bing, and YouTube. | |
Restrict YouTube Access | Enable and then select the Strict or Moderate level of restriction for YouTube access. | |
Log all search keywords | Enable if you want all search keywords logged. | |
Static URL Filter | ||
Block invalid URLs | Enable to block web sites when their SSL certificate CN field does not contain a valid domain name. | |
URL Filter | Enable and then create or edit a URL filter. See URL filters. | |
Block malicious URLs discovered by FortiSandbox | Enable to block malicious URLs discovered by FortiSandbox. | |
Web Content Filter | Enable and then create or edit a web content filter to block access to web pages that include the specified patterns. See Web content filters. | |
Rating Options | ||
Allow websites when a rating error occurs | Enable to allow access to web pages that return a rating error from the web filter service. If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites. |
|
Rate URLs by domain and IP Address | Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This difference can sometimes cause the unit to allow access to sites that should be blocked or to block sites that should be allowed. |
|
Rate images by URL | Enable to have the FortiProxy unit retrieve ratings for individual images in addition to web sites. Images in a blocked
category are not displayed even if they are part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank placeholders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF. |
|
Proxy Options | ||
Restrict Google account usage to specific domains | This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list. | |
Provide details for blocked HTTP 4xx and 5xx errors | Enable to have the FortiProxy unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. | |
HTTP POST Action | Select whether to Allow or Block HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server. | |
Remove Java Applets | Enable to filter Java applets from web traffic. Web sites using Java applets might not function properly with this filter enabled. | |
Remove ActiveX | Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX might not function properly with this filter enabled. | |
Remove Cookies | Enable to filter cookies from web traffic. Web sites using cookies might not function properly with this enabled. |
The web filter profile list can be viewed by selecting the List icon (the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) in the Edit Web Filter Profile page toolbar.
Right-click on any column heading to select which columns are displayed or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
Create New | Create a new web filter profile. See To create a new web filter profile:. |
Edit | Modify the selected web filter profile. See To edit a web filter profile:. |
Clone | Make a copy of the selected web filter profile. See To clone a web filter profile:. |
Delete | Remove the selected web filter profile. See To delete a profile or profiles:. |
Search | Enter a search term to search the web filter profile list. |
Name | The name of the web filter profile. |
Comments | An optional description of the web filter profile. |
Ref. | Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object. |
Web filter profiles can be added, edited, cloned and deleted as required.
Web content filters can be added, edited, and deleted as required.
You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by using patterns containing text and regular expressions. The FortiProxy unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.
Web site blocking does not block access to other services that users can access with a web browser. For example, web site blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections. |
When adding a URL to the web site filter list, follow these rules:
URLs with an action set to exempt or pass are not scanned for viruses. If users on the network download files through the FortiProxy unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it, so the unit does not scan files downloaded from this URL. |