Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Download PDF
Copy Link

Web filter

Web filter XML configurations are contained in the <webfilter></webfilter> tags. There are two main sections:

Section

Description

General options

Configuration elements that affect the whole of the web filter service.

Profiles

Defines one or more rules that are applied to network traffic.

<forticlient_configuration>

<webfilter>

<enable_filter>1</enable_filter>

<enabled>1</enabled>

<current_profile>0</current_profile>

<partial_match_host>0</partial_match_host>

<disable_when_managed>0</disable_when_managed>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<block_malicious_websites>1</block_malicious_websites>

<bypass_private_ip>1</bypass_private_ip>

<browser_read_time_threshold>180</browser_read_time_threshold>

<https_block_method>0</https_block_method>

<profiles>

<profile>

<id>999</id>

<use_exclusion_list>1</use_exclusion_list>

</profile>

<profile>

<id>0</id>

<cate_ver>6</cate_ver>

<description>deny</description>

<name>deny</name>

<temp_whitelist_timeout>300</temp_whitelist_timeout>

<log_all_urls>1</log_all_urls>

<log_user_initiated_traffic>1</log_user_initiated_traffic>

<categories>

<fortiguard>

<enabled>1</enabled>

<url>fgd1.fortigate.com</url>

<rate_ip_addresses>1</rate_ip_addresses>

<action_when_unavailable>deny</action_when_unavailable>

<use_https_rating_server>1</use_https_rating_server>

</fortiguard>

<category>

<id>1</id>

<action>deny</action>

</category>

<category>

<id>2</id>

<action>deny</action>

</category>

<category>

<id>3</id>

<action>deny</action>

</category>

<category>

<id>4</id>

<action>deny</action>

</category>

<category>

<id>5</id>

<action>deny</action>

</category>

</categories>

<urls>

<url>

<address>

<![CDATA[www.777.com]]>

</address>

<type>simple</type>

<action>deny</action>

</url>

<url>

<address>

<![CDATA[www.fortinet.com]]>

</address>

<type>simple</type>

<action>allow</action>

</url>

</urls>

<webbrowser_plugin>

<enabled>0</enabled>

<sync_mode>0</sync_mode>

<addressbar_only>0</addressbar_only>

</webbrowser_plugin>

<safe_search>

<enabled>0</enabled>

<search_engines>

<enabled>0</enabled>

</search_engines>

<youtube_education_filter>

<enabled>0</enabled>

<filter_id>

<![CDATA[]]>

</filter_id>

</youtube_education_filter>

</safe_search>

</profile>

</profiles>

</webfilter>

</forticlient_configuration>

The following table provides the XML tags for web filter, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enable_filter>

Enable or disable web filter.

Boolean value: [0 | 1]

1

<enabled>

Enable or disable FDN querying service.

Boolean value: [0 | 1]

1

<current_profile>

(Optional) Currently selected profile ID. If using the advanced configuration on the FortiGate (for Endpoint Control), set this to 1000. The value should always match the <profile><id> selected.

<partial_match_host>

A hostname that is a substring of the specified path is treated as a full match.

Boolean value: [0 | 1]

0

<disable_when_managed>

If enabled, FortiClient disables web filter when connected to a FortiGate using Endpoint Control.

Boolean: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000.

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<block_malicious_websites>

Configure whether to block web sites with security risk categories (group 5). When this setting is 0, do not block web sites with security risk categories. When this setting is 1, block web sites with security risk categories.

Boolean: [0 | 1]

<bypass_private_ip>

Enable or disable bypassing private IP addresses. This feature is enabled by default.

Boolean: [0 | 1]

1

<browser_read_time_threshold>

Configure the threshold in seconds for web browser to be considered idle. When a web browser is idle for longer than the threshold, FortiClient considers the web browser idle, does not calculate the time.

90

<https_block_method>

Control how FortiClient behaves when Web Filter blocks an HTTPS site:

  • If set to 0, FortiClient displays an in-browser message that the site is not reachable or that it is unable to reach the site, that your connection is not private, or that the site is not secure.
  • If set to 1, FortiClient shows a bubble notification to the user. The connection fails/times out.
  • If set to 2, the connection fails/times out with no notification to the user.

0

<fortiguard> elements

<url>

The FortiGuard server's IP address or FQDN.

fgd1.fortigate.com

<enabled>

Enable or disable use of FortiGuard servers.

Boolean value: [0 | 1]

1

<rate_ip_addresses>

Rate IP addresses.

Boolean value: [0 | 1]

1

<action_when_unavailable>

Configure the action to take with all websites when FortiGuard is temporarily unavailable. FortiClient takes the configured action until it reestablishes contact with FortiGuard. Available options are:

  • allow: Allow full, unfiltered access to all websites
  • deny: Deny access to any website
  • warn: Display an in-browser warning to user with an option to proceed to the website
  • monitor: Monitor site access

deny

<use_https_rating_server>

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Boolean value: [0 | 1]

1

<profiles><profile><safe_search> element

<enabled>

Enable or disable Safe Search.

When Safe Search is enabled, the endpoint's Google search is set to restricted mode, and YouTube access is set to strict restricted access. To set YouTube access to moderate restricted or unrestricted YouTube access, you can disable Safe Search and configure Google search and YouTube access with the Google Admin Console instead of with EMS.

Boolean value: [0 | 1]

<profiles><profile><safe_search><search_engines><engine> element

<enabled>

Enable or disable Safe Search for the predefined search engines.

Boolean value: [0 | 1]

The <profiles> XML element may have one or more profiles, defined in the <profile> tag. Each <profile>, in turn, has one or more <category>, <url> and <safe_search> tags, along with other elements.

The following table provides profile XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> elements

<id>

Unique ID. A number to define the profile.

<cate_ver>

FortiGuard category version used in this profile. A number.

6

<description>

Summary describing this profile.

<name>

A descriptive name for the profile.

<temp_whitelist_timeout>

The duration, in seconds, of a bypass that is applied to a page that generated a warning, but for which the user selected continue.

300

<log_all_urls>

Configure whether to log all URLs. When this setting is 0, FortiClient only logs URLs as specified by per-category or per-URL settings. When this setting is 1, FortiClient logs all URLs.

Boolean value: [0 | 1]

<log_user_initiated_traffic>

Configure what traffic to record. When this setting is 0, FortiClient records all traffic. When this setting is 1, FortiClient records only traffic that the user initiates.

Boolean value: [0 | 1]

<profile><categories><category> elements

<id>

Unique ID. A number. The valid set of category IDs is predefined, and is listed in exported configuration files.

<action>

Action to perform on matching network traffic. Enter one of the following:

  • allow
  • deny
  • warn
  • monitor

<profile><urls><url> elements

<address>

The web address in which <action> (allow or deny) is performed. This should be wrapped in a CDATA tag. For example:

<![CDATA[www.777.com]]>

<action>

Action to perform on matching network traffic. Enter one of the following: [allow | deny]

<profile><webbrowser_plugin> elements

<enabled>

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites.

After this option is enabled, the user must open the browser to approve installing the new plugin. Currently this feature is only supported when using the Chrome browser on a Windows machine.

0

<sync_mode>

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

0

<addressbar_only>

Enable the plugin to only check domains, even if the full URL is provided. This allows for faster processing. When this option is disabled, the plugin checks full URLs.

0

The <safe_search> element has two main components:

  • Search engines <search_engines>
  • Users may define safe search parameters for each of the popular search engines: Bing and Yandex. Subsequent use of the engines for web searches have Safe Search enabled.

  • YouTube education filter <youtube_education_filter>
  • Educational institutions with valid YouTube education ID can provide this in the <youtube_education_filter> element to restrict YouTube contents appropriately.

The following table provides profile XML tags and the description. See the <safe_search> listing in the previous pages for examples of each tag.

XML tag

Description

Default value

<profiles><profile><safe_search><search_engines><engine> elements

<name>

Name of the Safe Search profile.

<host>

The search engine's FQDN. FortiClient monitors attempts to visit this address.

<url>

The URL substring to match or monitor, along with the FQDN.

<query>

The query string appended to the URL.

<safe_search_string>

The correct safe search string appended to the URL for the specified engine.

<cookie_name>

The name of the cookie to send the search engine.

<cookie_value>

The cookie value to send the search engine.

<profiles><profile><safe_search><youtube_education_filter> elements

<enabled>

Enable YouTube education filter.

Boolean value: [0 | 1]

<filter_id>

The institution's education identifier.

Other than the <name> and <enabled> elements, the values for each of the elements in the previous table should be wrapped in <![CDATA[]]> XML tags. Here is an example for a <host> element taken from the <safe_search> listing.

<host><![CDATA[yandex\..*]]></host>

See Manage your YouTube settings for more information on YouTube for schools and the education filter.

The following is a list of all Web Filter categories including the category <id> and category name:

0 ==> Unrated

1 ==> Drug Abuse

2 ==> Alternative Beliefs

3 ==> Hacking

4 ==> Illegal or Unethical

5 ==> Discrimination

6 ==> Explicit Violence

7 ==> Abortion

8 ==> Other Adult Materials

9 ==> Advocacy Organizations

11 ==> Gambling

12 ==> Extremist Groups

13 ==> Nudity and Risque

14 ==> Pornography

15 ==> Dating

16 ==> Weapons (Sales)

17 ==> Advertising

18 ==> Brokerage and Trading

19 ==> Freeware and Software Downloads

20 ==> Games

23 ==> Web-based Email

24 ==> File Sharing and Storage

25 ==> Streaming Media and Download

26 ==> Malicious Websites

28 ==> Entertainment

29 ==> Arts and Culture

30 ==> Education

31 ==> Finance and Banking

33 ==> Health and Wellness

34 ==> Job Search

35 ==> Medicine

36 ==> News and Media

37 ==> Social Networking

38 ==> Political Organizations

39 ==> Reference

40 ==> Global Religion

41 ==> Search Engines and Portals

42 ==> Shopping

43 ==> General Organizations

44 ==> Society and Lifestyles

46 ==> Sports

47 ==> Travel

48 ==> Personal Vehicles

49 ==> Business

50 ==> Information and Computer Security

51 ==> Government and Legal Organizations

52 ==> Information Technology

53 ==> Armed Forces

54 ==> Dynamic Content

55 ==> Meaningless Content

56 ==> Web Hosting

57 ==> Marijuana

58 ==> Folklore

59 ==> Proxy Avoidance

61 ==> Phishing

62 ==> Plagiarism

63 ==> Sex Education

64 ==> Alcohol

65 ==> Tobacco

66 ==> Lingerie and Swimsuit

67 ==> Sports Hunting and War Games

68 ==> Web Chat

69 ==> Instant Messaging

70 ==> Newsgroups and Message Boards

71 ==> Digital Postcards

72 ==> Peer-to-peer File Sharing

75 ==> Internet Radio and TV

76 ==> Internet Telephony

77 ==> Child Education

78 ==> Real Estate

79 ==> Restaurant and Dining

80 ==> Personal Websites and Blogs

81 ==> Secure Websites

82 ==> Content Servers

83 ==> Child Abuse

84 ==> Web-based Applications

85 ==> Domain Parking

86 ==> Spam URLs

88 ==> Dynamic DNS

89 ==> Auction

90 ==> Newly Observed Domain

91 ==> Newly Registered Domain

92 ==> Charitable Organizations

93 ==> Remote Access

94 ==> Web Analytics

95 ==> Online Meeting

Web filter

Web filter XML configurations are contained in the <webfilter></webfilter> tags. There are two main sections:

Section

Description

General options

Configuration elements that affect the whole of the web filter service.

Profiles

Defines one or more rules that are applied to network traffic.

<forticlient_configuration>

<webfilter>

<enable_filter>1</enable_filter>

<enabled>1</enabled>

<current_profile>0</current_profile>

<partial_match_host>0</partial_match_host>

<disable_when_managed>0</disable_when_managed>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<block_malicious_websites>1</block_malicious_websites>

<bypass_private_ip>1</bypass_private_ip>

<browser_read_time_threshold>180</browser_read_time_threshold>

<https_block_method>0</https_block_method>

<profiles>

<profile>

<id>999</id>

<use_exclusion_list>1</use_exclusion_list>

</profile>

<profile>

<id>0</id>

<cate_ver>6</cate_ver>

<description>deny</description>

<name>deny</name>

<temp_whitelist_timeout>300</temp_whitelist_timeout>

<log_all_urls>1</log_all_urls>

<log_user_initiated_traffic>1</log_user_initiated_traffic>

<categories>

<fortiguard>

<enabled>1</enabled>

<url>fgd1.fortigate.com</url>

<rate_ip_addresses>1</rate_ip_addresses>

<action_when_unavailable>deny</action_when_unavailable>

<use_https_rating_server>1</use_https_rating_server>

</fortiguard>

<category>

<id>1</id>

<action>deny</action>

</category>

<category>

<id>2</id>

<action>deny</action>

</category>

<category>

<id>3</id>

<action>deny</action>

</category>

<category>

<id>4</id>

<action>deny</action>

</category>

<category>

<id>5</id>

<action>deny</action>

</category>

</categories>

<urls>

<url>

<address>

<![CDATA[www.777.com]]>

</address>

<type>simple</type>

<action>deny</action>

</url>

<url>

<address>

<![CDATA[www.fortinet.com]]>

</address>

<type>simple</type>

<action>allow</action>

</url>

</urls>

<webbrowser_plugin>

<enabled>0</enabled>

<sync_mode>0</sync_mode>

<addressbar_only>0</addressbar_only>

</webbrowser_plugin>

<safe_search>

<enabled>0</enabled>

<search_engines>

<enabled>0</enabled>

</search_engines>

<youtube_education_filter>

<enabled>0</enabled>

<filter_id>

<![CDATA[]]>

</filter_id>

</youtube_education_filter>

</safe_search>

</profile>

</profiles>

</webfilter>

</forticlient_configuration>

The following table provides the XML tags for web filter, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enable_filter>

Enable or disable web filter.

Boolean value: [0 | 1]

1

<enabled>

Enable or disable FDN querying service.

Boolean value: [0 | 1]

1

<current_profile>

(Optional) Currently selected profile ID. If using the advanced configuration on the FortiGate (for Endpoint Control), set this to 1000. The value should always match the <profile><id> selected.

<partial_match_host>

A hostname that is a substring of the specified path is treated as a full match.

Boolean value: [0 | 1]

0

<disable_when_managed>

If enabled, FortiClient disables web filter when connected to a FortiGate using Endpoint Control.

Boolean: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000.

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<block_malicious_websites>

Configure whether to block web sites with security risk categories (group 5). When this setting is 0, do not block web sites with security risk categories. When this setting is 1, block web sites with security risk categories.

Boolean: [0 | 1]

<bypass_private_ip>

Enable or disable bypassing private IP addresses. This feature is enabled by default.

Boolean: [0 | 1]

1

<browser_read_time_threshold>

Configure the threshold in seconds for web browser to be considered idle. When a web browser is idle for longer than the threshold, FortiClient considers the web browser idle, does not calculate the time.

90

<https_block_method>

Control how FortiClient behaves when Web Filter blocks an HTTPS site:

  • If set to 0, FortiClient displays an in-browser message that the site is not reachable or that it is unable to reach the site, that your connection is not private, or that the site is not secure.
  • If set to 1, FortiClient shows a bubble notification to the user. The connection fails/times out.
  • If set to 2, the connection fails/times out with no notification to the user.

0

<fortiguard> elements

<url>

The FortiGuard server's IP address or FQDN.

fgd1.fortigate.com

<enabled>

Enable or disable use of FortiGuard servers.

Boolean value: [0 | 1]

1

<rate_ip_addresses>

Rate IP addresses.

Boolean value: [0 | 1]

1

<action_when_unavailable>

Configure the action to take with all websites when FortiGuard is temporarily unavailable. FortiClient takes the configured action until it reestablishes contact with FortiGuard. Available options are:

  • allow: Allow full, unfiltered access to all websites
  • deny: Deny access to any website
  • warn: Display an in-browser warning to user with an option to proceed to the website
  • monitor: Monitor site access

deny

<use_https_rating_server>

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Boolean value: [0 | 1]

1

<profiles><profile><safe_search> element

<enabled>

Enable or disable Safe Search.

When Safe Search is enabled, the endpoint's Google search is set to restricted mode, and YouTube access is set to strict restricted access. To set YouTube access to moderate restricted or unrestricted YouTube access, you can disable Safe Search and configure Google search and YouTube access with the Google Admin Console instead of with EMS.

Boolean value: [0 | 1]

<profiles><profile><safe_search><search_engines><engine> element

<enabled>

Enable or disable Safe Search for the predefined search engines.

Boolean value: [0 | 1]

The <profiles> XML element may have one or more profiles, defined in the <profile> tag. Each <profile>, in turn, has one or more <category>, <url> and <safe_search> tags, along with other elements.

The following table provides profile XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> elements

<id>

Unique ID. A number to define the profile.

<cate_ver>

FortiGuard category version used in this profile. A number.

6

<description>

Summary describing this profile.

<name>

A descriptive name for the profile.

<temp_whitelist_timeout>

The duration, in seconds, of a bypass that is applied to a page that generated a warning, but for which the user selected continue.

300

<log_all_urls>

Configure whether to log all URLs. When this setting is 0, FortiClient only logs URLs as specified by per-category or per-URL settings. When this setting is 1, FortiClient logs all URLs.

Boolean value: [0 | 1]

<log_user_initiated_traffic>

Configure what traffic to record. When this setting is 0, FortiClient records all traffic. When this setting is 1, FortiClient records only traffic that the user initiates.

Boolean value: [0 | 1]

<profile><categories><category> elements

<id>

Unique ID. A number. The valid set of category IDs is predefined, and is listed in exported configuration files.

<action>

Action to perform on matching network traffic. Enter one of the following:

  • allow
  • deny
  • warn
  • monitor

<profile><urls><url> elements

<address>

The web address in which <action> (allow or deny) is performed. This should be wrapped in a CDATA tag. For example:

<![CDATA[www.777.com]]>

<action>

Action to perform on matching network traffic. Enter one of the following: [allow | deny]

<profile><webbrowser_plugin> elements

<enabled>

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites.

After this option is enabled, the user must open the browser to approve installing the new plugin. Currently this feature is only supported when using the Chrome browser on a Windows machine.

0

<sync_mode>

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

0

<addressbar_only>

Enable the plugin to only check domains, even if the full URL is provided. This allows for faster processing. When this option is disabled, the plugin checks full URLs.

0

The <safe_search> element has two main components:

  • Search engines <search_engines>
  • Users may define safe search parameters for each of the popular search engines: Bing and Yandex. Subsequent use of the engines for web searches have Safe Search enabled.

  • YouTube education filter <youtube_education_filter>
  • Educational institutions with valid YouTube education ID can provide this in the <youtube_education_filter> element to restrict YouTube contents appropriately.

The following table provides profile XML tags and the description. See the <safe_search> listing in the previous pages for examples of each tag.

XML tag

Description

Default value

<profiles><profile><safe_search><search_engines><engine> elements

<name>

Name of the Safe Search profile.

<host>

The search engine's FQDN. FortiClient monitors attempts to visit this address.

<url>

The URL substring to match or monitor, along with the FQDN.

<query>

The query string appended to the URL.

<safe_search_string>

The correct safe search string appended to the URL for the specified engine.

<cookie_name>

The name of the cookie to send the search engine.

<cookie_value>

The cookie value to send the search engine.

<profiles><profile><safe_search><youtube_education_filter> elements

<enabled>

Enable YouTube education filter.

Boolean value: [0 | 1]

<filter_id>

The institution's education identifier.

Other than the <name> and <enabled> elements, the values for each of the elements in the previous table should be wrapped in <![CDATA[]]> XML tags. Here is an example for a <host> element taken from the <safe_search> listing.

<host><![CDATA[yandex\..*]]></host>

See Manage your YouTube settings for more information on YouTube for schools and the education filter.

The following is a list of all Web Filter categories including the category <id> and category name:

0 ==> Unrated

1 ==> Drug Abuse

2 ==> Alternative Beliefs

3 ==> Hacking

4 ==> Illegal or Unethical

5 ==> Discrimination

6 ==> Explicit Violence

7 ==> Abortion

8 ==> Other Adult Materials

9 ==> Advocacy Organizations

11 ==> Gambling

12 ==> Extremist Groups

13 ==> Nudity and Risque

14 ==> Pornography

15 ==> Dating

16 ==> Weapons (Sales)

17 ==> Advertising

18 ==> Brokerage and Trading

19 ==> Freeware and Software Downloads

20 ==> Games

23 ==> Web-based Email

24 ==> File Sharing and Storage

25 ==> Streaming Media and Download

26 ==> Malicious Websites

28 ==> Entertainment

29 ==> Arts and Culture

30 ==> Education

31 ==> Finance and Banking

33 ==> Health and Wellness

34 ==> Job Search

35 ==> Medicine

36 ==> News and Media

37 ==> Social Networking

38 ==> Political Organizations

39 ==> Reference

40 ==> Global Religion

41 ==> Search Engines and Portals

42 ==> Shopping

43 ==> General Organizations

44 ==> Society and Lifestyles

46 ==> Sports

47 ==> Travel

48 ==> Personal Vehicles

49 ==> Business

50 ==> Information and Computer Security

51 ==> Government and Legal Organizations

52 ==> Information Technology

53 ==> Armed Forces

54 ==> Dynamic Content

55 ==> Meaningless Content

56 ==> Web Hosting

57 ==> Marijuana

58 ==> Folklore

59 ==> Proxy Avoidance

61 ==> Phishing

62 ==> Plagiarism

63 ==> Sex Education

64 ==> Alcohol

65 ==> Tobacco

66 ==> Lingerie and Swimsuit

67 ==> Sports Hunting and War Games

68 ==> Web Chat

69 ==> Instant Messaging

70 ==> Newsgroups and Message Boards

71 ==> Digital Postcards

72 ==> Peer-to-peer File Sharing

75 ==> Internet Radio and TV

76 ==> Internet Telephony

77 ==> Child Education

78 ==> Real Estate

79 ==> Restaurant and Dining

80 ==> Personal Websites and Blogs

81 ==> Secure Websites

82 ==> Content Servers

83 ==> Child Abuse

84 ==> Web-based Applications

85 ==> Domain Parking

86 ==> Spam URLs

88 ==> Dynamic DNS

89 ==> Auction

90 ==> Newly Observed Domain

91 ==> Newly Registered Domain

92 ==> Charitable Organizations

93 ==> Remote Access

94 ==> Web Analytics

95 ==> Online Meeting