Fortinet black logo

EMS Administration Guide

Web Filter

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter options.

Note

FortiClient can block webpages outside of web filtering. This includes:

  • Application Firewall: If the webpage matches a given signature where the action is set to block or if Block Access to Malicous Websites is enabled. See Firewall.

Webpage blocks generate an entry in the local FortiClient logs. If a website block cause is unclear, review the logs.

If Block Access to Malicious Websites is enabled on the Application Firewall profile and another action is configured for malicious websites on the Web Filter profile, Block Access to Malicious Websites takes precedence and FortiClient blocks access to malicious websites.

Configuration

Description

Web Filter

Enable web filtering.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

General

Enable WebFiltering on FortiClient

Select Always On to enable client web filtering when on-fabric.

Select Only When Endpoint is Off-Fabric to enable Web Filter on endpoints only when the endpoint is considered off-Fabric. See On-fabric Detection Rules.

This setting affects the Block Access to Malicious Websites setting in Malware Protection.

Log All URLs

Log all URLs. When this setting is disabled, FortiClient only logs URLs as specified by per-category or per-URL settings. FortiClient only logs these logs locally or sends them to FortiAnalyzer if configured.

Log User Initiated Traffic

Log only user-initiated traffic.

Action On HTTPS Site Blocking

  • Display In-Browser Message
  • Fail Connection & Show Bubble Notification
  • Fail Connection

Enable Web Browser Plugin for HTTPS Web Filtering

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. EMS only installs the web browser plugin for the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on Windows platforms.

Sync Mode

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

Check User Initiated Traffic Only

Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.

Enable Safe Search

For Windows endpoints and Chromebooks, when enabling Safe Search, you can configure the Restriction Level to Strict or Moderate. This setting affects the content that endpoint users can access via YouTube and search engine, including Google and Bing. For Chromebooks, to set YouTube access to Unrestricted, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.

For macOS endpoints, enabling Safe Search sets the endpoint's Google search to Restricted mode and YouTube access to Strict Restricted access.

Enabling Safe Search adds records, including Yandex.ru, to the client device's hosts file in order to redirect search engine requests.

Site Categories

Enable site categories from FortiGuard. When you disable site categories, the exclusion list protects FortiClient.

See the FortiGuard website for descriptions of the available categories and subcategories.

For all categories, you can configure an action for the entire site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The following lists each site category's subcategories.

Adult/Mature Content

  • Abortion
  • Advocacy Organizations
  • Alcohol
  • Alternative Beliefs
  • Dating
  • Gambling
  • Lingerie and Swimsuit
  • Marijuana
  • Nudity and Risque
  • Other Adult Materials
  • Pornography
  • Sex Education
  • Sports Hunting and War Games
  • Tobacco
  • Weapons (Sales)

Bandwidth Consuming

  • File Sharing and Storage
  • Freeware and Software Downloads
  • Internet Radio and TV
  • Internet Telephony
  • Peer-to-peer File Sharing
  • Streaming Media and Download

General Interest-Business

  • Armed Forces
  • Business
  • Charitable Organizations
  • Finance and Banking
  • General Organizations
  • Government and Legal Organizations
  • Information Technology
  • Information and Computer Security
  • Online Meeting
  • Remote Access
  • Search Engines and Portals
  • Secure Websites
  • Web Analytics
  • Web Hosting
  • Web-based Applications

General Interest-Personal

  • Advertising
  • Arts and Culture
  • Auction
  • Brokerage and Trading
  • Child Education
  • Content Servers
  • Digital Postcards
  • Domain Parking
  • Dynamic Content
  • Education
  • Entertainment
  • Folklore
  • Games
  • Global Religion
  • Health and Wellness
  • Instant Messaging
  • Job Search
  • Meaningless Content
  • Medicine
  • News and Media
  • Newsgroups and Message Boards
  • Personal Privacy
  • Personal Vehicles
  • Personal Websites and Blogs
  • Political Organizations
  • Real Estate
  • Reference
  • Restaurant and Dining
  • Shopping
  • Social Networking
  • Society and Lifestyles
  • Sports
  • Travel
  • Web Chat
  • Web-based Email

Potentially Liable

  • Child Sexual Abuse
  • Crypto Mining
  • Discrimination
  • Drug Abuse
  • Explicit Violence
  • Extremist Groups
  • Hacking
  • Illegal or Unethical
  • Plagiarism
  • Potentially Unwanted Program
  • Proxy Avoidance
  • Terrorism

Security Risk

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs
Unrated

Rate IP Addresses

Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category takes precedence in determining the action. This has the side effect that sometimes the action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this works is if a URL's rating based on the domain name indicates that it belongs in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight, the effective action is Block.

Use HTTPS Rating Server

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Allow websites when rating error occurs

Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:

  • Block: Deny access to any websites. This may prevent endpoints from accessing captive portals.
  • Warn: Display in-browser warning to user, with an option to proceed to the website
  • Allow: Allow full, unfiltered access to all websites
  • Monitor: Log the site access

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for URL ratings.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: fgd1.fortigate.com

    • U.S.: usfgd1.fortigate.com

  • FortiGuard Anycast:

    • Global: fctguard.fortinet.net

    • U.S.: fctusguard.fortinet.net

    • Europe: fcteuguard.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Keyword Scanning on Search Engine

Use rating categories from FortiGuard to allow, block, or monitor searches for certain terms. This feature is only available for Chromebooks.

Banned Word Search

Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:

  • Violence/Terrorism
  • Extremist
  • Pornography
  • Cyber Bullying
  • Self Harm

Custom Banned Words

Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On.

You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.

The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.

Exclusion List

Adding more than 1000 exclusions is not recommended and can cause EMS instability.

Action

Select one of the following actions:

  • Allow
  • Block
  • Monitor

URL

Enter specific URLs to allow, block, or monitor. You can provide the full URL or only the domain name.

Referrer/Host

Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name.

If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action.

If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action.

Type

Select one of the following types:

  • Simple
  • Wildcard
  • Regular Expression

You can use wildcard characters and Perl Compatible Regular Expressions (PCRE).

This field only applies to the value in the URL field and does not apply to the value in the Referrer/Host field.

Move this rule up/Move this rule down

Move the exclusion rule up/down in the list. If multiple exclusion rules are applicable, EMS applies the first applicable exclusion rule.

Web Filter

For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter options.

Note

FortiClient can block webpages outside of web filtering. This includes:

  • Application Firewall: If the webpage matches a given signature where the action is set to block or if Block Access to Malicous Websites is enabled. See Firewall.

Webpage blocks generate an entry in the local FortiClient logs. If a website block cause is unclear, review the logs.

If Block Access to Malicious Websites is enabled on the Application Firewall profile and another action is configured for malicious websites on the Web Filter profile, Block Access to Malicious Websites takes precedence and FortiClient blocks access to malicious websites.

Configuration

Description

Web Filter

Enable web filtering.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

General

Enable WebFiltering on FortiClient

Select Always On to enable client web filtering when on-fabric.

Select Only When Endpoint is Off-Fabric to enable Web Filter on endpoints only when the endpoint is considered off-Fabric. See On-fabric Detection Rules.

This setting affects the Block Access to Malicious Websites setting in Malware Protection.

Log All URLs

Log all URLs. When this setting is disabled, FortiClient only logs URLs as specified by per-category or per-URL settings. FortiClient only logs these logs locally or sends them to FortiAnalyzer if configured.

Log User Initiated Traffic

Log only user-initiated traffic.

Action On HTTPS Site Blocking

  • Display In-Browser Message
  • Fail Connection & Show Bubble Notification
  • Fail Connection

Enable Web Browser Plugin for HTTPS Web Filtering

Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. EMS only installs the web browser plugin for the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on Windows platforms.

Sync Mode

When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.

Check User Initiated Traffic Only

Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.

Enable Safe Search

For Windows endpoints and Chromebooks, when enabling Safe Search, you can configure the Restriction Level to Strict or Moderate. This setting affects the content that endpoint users can access via YouTube and search engine, including Google and Bing. For Chromebooks, to set YouTube access to Unrestricted, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS.

For macOS endpoints, enabling Safe Search sets the endpoint's Google search to Restricted mode and YouTube access to Strict Restricted access.

Enabling Safe Search adds records, including Yandex.ru, to the client device's hosts file in order to redirect search engine requests.

Site Categories

Enable site categories from FortiGuard. When you disable site categories, the exclusion list protects FortiClient.

See the FortiGuard website for descriptions of the available categories and subcategories.

For all categories, you can configure an action for the entire site category by selecting one of the following:

  • Block
  • Warn
  • Allow
  • Monitor

You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The following lists each site category's subcategories.

Adult/Mature Content

  • Abortion
  • Advocacy Organizations
  • Alcohol
  • Alternative Beliefs
  • Dating
  • Gambling
  • Lingerie and Swimsuit
  • Marijuana
  • Nudity and Risque
  • Other Adult Materials
  • Pornography
  • Sex Education
  • Sports Hunting and War Games
  • Tobacco
  • Weapons (Sales)

Bandwidth Consuming

  • File Sharing and Storage
  • Freeware and Software Downloads
  • Internet Radio and TV
  • Internet Telephony
  • Peer-to-peer File Sharing
  • Streaming Media and Download

General Interest-Business

  • Armed Forces
  • Business
  • Charitable Organizations
  • Finance and Banking
  • General Organizations
  • Government and Legal Organizations
  • Information Technology
  • Information and Computer Security
  • Online Meeting
  • Remote Access
  • Search Engines and Portals
  • Secure Websites
  • Web Analytics
  • Web Hosting
  • Web-based Applications

General Interest-Personal

  • Advertising
  • Arts and Culture
  • Auction
  • Brokerage and Trading
  • Child Education
  • Content Servers
  • Digital Postcards
  • Domain Parking
  • Dynamic Content
  • Education
  • Entertainment
  • Folklore
  • Games
  • Global Religion
  • Health and Wellness
  • Instant Messaging
  • Job Search
  • Meaningless Content
  • Medicine
  • News and Media
  • Newsgroups and Message Boards
  • Personal Privacy
  • Personal Vehicles
  • Personal Websites and Blogs
  • Political Organizations
  • Real Estate
  • Reference
  • Restaurant and Dining
  • Shopping
  • Social Networking
  • Society and Lifestyles
  • Sports
  • Travel
  • Web Chat
  • Web-based Email

Potentially Liable

  • Child Sexual Abuse
  • Crypto Mining
  • Discrimination
  • Drug Abuse
  • Explicit Violence
  • Extremist Groups
  • Hacking
  • Illegal or Unethical
  • Plagiarism
  • Potentially Unwanted Program
  • Proxy Avoidance
  • Terrorism

Security Risk

  • Dynamic DNS
  • Malicious Websites
  • Newly Observed Domain
  • Newly Registered Domain
  • Phishing
  • Spam URLs
Unrated

Rate IP Addresses

Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category takes precedence in determining the action. This has the side effect that sometimes the action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this works is if a URL's rating based on the domain name indicates that it belongs in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight, the effective action is Block.

Use HTTPS Rating Server

By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.

Allow websites when rating error occurs

Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:

  • Block: Deny access to any websites. This may prevent endpoints from accessing captive portals.
  • Warn: Display in-browser warning to user, with an option to proceed to the website
  • Allow: Allow full, unfiltered access to all websites
  • Monitor: Log the site access

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for URL ratings.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: fgd1.fortigate.com

    • U.S.: usfgd1.fortigate.com

  • FortiGuard Anycast:

    • Global: fctguard.fortinet.net

    • U.S.: fctusguard.fortinet.net

    • Europe: fcteuguard.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Keyword Scanning on Search Engine

Use rating categories from FortiGuard to allow, block, or monitor searches for certain terms. This feature is only available for Chromebooks.

Banned Word Search

Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:

  • Violence/Terrorism
  • Extremist
  • Pornography
  • Cyber Bullying
  • Self Harm

Custom Banned Words

Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On.

You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.

The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.

Exclusion List

Adding more than 1000 exclusions is not recommended and can cause EMS instability.

Action

Select one of the following actions:

  • Allow
  • Block
  • Monitor

URL

Enter specific URLs to allow, block, or monitor. You can provide the full URL or only the domain name.

Referrer/Host

Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name.

If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action.

If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action.

Type

Select one of the following types:

  • Simple
  • Wildcard
  • Regular Expression

You can use wildcard characters and Perl Compatible Regular Expressions (PCRE).

This field only applies to the value in the URL field and does not apply to the value in the Referrer/Host field.

Move this rule up/Move this rule down

Move the exclusion rule up/down in the list. If multiple exclusion rules are applicable, EMS applies the first applicable exclusion rule.