FortiGuard Web Filtering Service

FortiGuard Web Filtering is a managed web filtering solution available by subscription from Fortinet. Before you begin to use the FortiGuard Web Filtering options, verify that you have a valid subscription to the service for your FortiGate firewall.

FortiGuard Web Filtering enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface. FortiGuard Web Filtering service supports detection for traffic using HTTP protocol (versions 1.0, 1.1 and 2.0).

FortiGuard Web Filtering includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filtering Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

FortiGuard Web Filtering and your FortiGate unit

When FortiGuard Web Filtering is enabled in a web filter or a DNS filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard Web Filtering Actions

The possible actions are:

  • Allow permits access to the sites within the category.
  • Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
  • Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
  • Warning presents the user with a message, allowing them to continue if they choose.
  • Authenticate requires a user to authenticate with the FortiGate unit before being allowed access to the category or category group.

The options of actions available will depend on the mode of inspection.

  • Proxy - Allow, Block, Monitor, Warning, Authenticate and Disable.
  • Flow-based - Allow, Block & Monitor.
Web Filtering flowchart

FortiGuard Web Filtering categories

The following tables identify each FortiGuard web filtering category (organized by group) along with associated category IDs. For a complete description of each web filtering category, visit

Potentially Liable

ID Category   ID Category
1 Drug Abuse   12 Extremist Groups
3 Hacking   59 Proxy Avoidance
4 Illegal or Unethical   62 Plagiarism
5 Discrimination   83 Child Abuse
6 Explicit Violence      

Adult/Mature Content

ID Category   ID Category
2 Alternative Beliefs   16 Weapons (Sales)
7 Abortion   57 Marijuana
8 Other Adult Materials   63 Sex Education
9 Advocacy Organizations   64 Alcohol
11 Gambling   65 Tobacco
13 Nudity and Risque   66 Lingerie and Swimsuit
14 Pornography   67 Sports Hunting and War Games
15 Dating      

Bandwidth Consuming

ID Category   ID Category
19 Freeware and Software Downloads   72 Peer-to-peer File Sharing
24 File Sharing and Storage   75 Internet Radio and TV
25 Streaming Media and Download   76 Internet Telephony

Security Risk

ID Category   ID Category
26 Malicious Websites   86 Spam URLs
61 Phishing   88 Dynamic DNS

General Interest - Personal

ID Category   ID Category
17 Advertising   47 Travel
18 Brokerage and Trading   48 Personal Vehicles
20 Games   54 Dynamic Content
23 Web-based Email   55 Meaningless Content
28 Entertainment   58 Folklore
29 Arts and Culture   68 Web Chat
30 Education   69 Instant Messaging
33 Health and Wellness   70 Newsgroups and Message Boards
34 Job Search   71 Digital Postcards
35 Medicine   77 Child Education
36 News and Media   78 Real Estate
37 Social Networking   79 Restaurant and Dining
38 Political Organizations   80 Personal Websites and Blogs
39 Reference   82 Content Servers
40 Global Religion   85 Domain Parking
42 Shopping   87 Personal Privacy
44 Society and Lifestyles   89 Auction
46 Sports      

General Interest - Business

ID Category   ID Category
31 Finance and Banking   52 Information Technology
41 Search Engines and Portals   53 Armed Forces
43 General Organizations   56 Web Hosting
49 Business   81 Secure Websites
50 Information and Computer Security   84 Web-based Applications
51 Government and Legal Organizations      

Local categories

Users can define custom or local categories. See Overriding FortiGuard Website Categorization for details.

FortiGuard Web Filtering usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

note icon The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required.

Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

  1. Category
  2. Category group