Chapter 10 Install and System Administration for FortiOS 5.0 : Advanced concepts : Administration for schools : UTM security profiles : Web filtering
  
Web filtering
The actual filtering of URLs - sites and content - should be performed by FortiGuard. It is easier and web sites are constantly being monitored, and new ones reviewed and added to the FortiGuard databases every day. The FortiGuard categories provide an extensive list of offensive, and non-productive sites.
As well, there are additional settings to include in a web filtering profile to best contain a student’s web browsing.
Web URL filtering should be enabled to set up exemptions for web sites that are blocked or reasons other than category filtering. It also prevents the us of IP addresses to get around web filtering.
Block invalid URLs - HTTPS only. This option inspects the HTTPS certificate and looks at the URL to ensure it’s valid. It is common for proxy sites to create an HTTPS certificate with a garbage URL. If the site is legitimate, it should be set up correctly. If the site approach to security is to ignore it, then their security policy puts your network at risk and the site should be blocked.
Web filtering options are configured in the web-based manager by going to UTM Security Profiles > Web filter > Profile, or in the CLI under config webfilter profile.
Advanced options
There are a few Advanced options to consider for a web filtering profile:
Enable Provide details for blocked HTTP 4xx and 5xx errors. Under normal circumstances there are exploits that can be used with 400 and 500 series messages to access the web site. While most students probably won’t know how to do this, there is no harm in being cautious. It only takes one.
Enable Rate Images by URL. This option only works with Google images. It examines the URL that the images is stored at to get a rating on it, then blocks or allows the image based on the rating of the originating URL. It does not inspect the image contents. Most image search engines to a prefect and pass the images directly to the browser.
Enable Block HTTP redirects by rating. An HTTP redirect is one method of getting around ratings. Go to one web site that has an allowed rating, and it redirects to another web site that may want blocked.
Categories and Classifications
For the selection of what FortiGuard categories and classifications that should be blocked, that is purely based on the school system and its Internet information policy.
See Also
Antivirus profiles
Email Filtering
IPS
Application control
Administration for schools