Fortinet black logo

Handbook

FortiGuard Web Filtering

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:120269
Download PDF

FortiGuard Web Filtering

FortiGuard Web Filtering is a managed web filtering solution available by subscription from Fortinet. Before you begin to use the FortiGuard Web Filtering options, verify that you have a valid subscription to the service for your FortiGate firewall.

FortiGuard Web Filtering enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface. FortiGuard Web Filtering supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).

FortiGuard Web Filtering includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filtering Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

FortiGuard web filtering and your FortiGate unit

When FortiGuard Web Filtering is enabled in a web filter or a DNS filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard web filtering actions

The possible actions are:

  • Allow permits access to the sites within the category.
  • Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
  • Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
  • Warning presents the user with a message, allowing them to continue if they choose.
  • Authenticate requires a user to authenticate with the FortiGate unit before being allowed access to the category or category group.

The actions available depend on the inspection mode.

  • Proxy - Allow, Block, Monitor, Warning, Authenticate, or Disable.
  • Flow-based, policy-based - Allow, Block, or Monitor.
  • Flow-based, profile-based - Accept or Deny. (In this mode, you configure web filtering by adding FortiGuard web filtering categories to a firewall policy without configuring a web filtering profile. The web filtering actions become the accept or deny firewall policy actions.)

note icon

Configuring Web Filter profiles in flow-mode is different depending on the NGFW mode selected.

Web filtering flowchart

FortiGuard web filtering categories

The following tables identify each FortiGuard web filtering category (organized by group) along with associated category IDs. You can access the current list of category IDs through the CLI.

config webfilter profile

edit default

config ftgd-wf

config filters

edit 1

set category ?

For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter/categories.

Potentially Liable

ID Category ID Category
1 Drug Abuse 12 Extremist Groups
3 Hacking 59 Proxy Avoidance
4 Illegal or Unethical 62 Plagiarism
5 Discrimination 83 Child Abuse
6 Explicit Violence

Adult/Mature Content

ID Category ID Category
2 Alternative Beliefs 16 Weapons (Sales)
7 Abortion 57 Marijuana
8 Other Adult Materials 63 Sex Education
9 Advocacy Organizations 64 Alcohol
11 Gambling 65 Tobacco
13 Nudity and Risque 66 Lingerie and Swimsuit
14 Pornography 67 Sports Hunting and War Games
15 Dating

Bandwidth Consuming

ID Category ID Category
19 Freeware and Software Downloads 72 Peer-to-peer File Sharing
24 File Sharing and Storage 75 Internet Radio and TV
25 Streaming Media and Download 76 Internet Telephony

Security Risk

ID Category ID Category
26 Malicious Websites 86 Spam URLs
61 Phishing 88 Dynamic DNS
Newly Observed Domain Newly Registered Domain

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

General Interest - Personal

ID Category ID Category
17 Advertising 47 Travel
18 Brokerage and Trading 48 Personal Vehicles
20 Games 54 Dynamic Content
23 Web-based Email 55 Meaningless Content
28 Entertainment 58 Folklore
29 Arts and Culture 68 Web Chat
30 Education 69 Instant Messaging
33 Health and Wellness 70 Newsgroups and Message Boards
34 Job Search 71 Digital Postcards
35 Medicine 77 Child Education
36 News and Media 78 Real Estate
37 Social Networking 79 Restaurant and Dining
38 Political Organizations 80 Personal Websites and Blogs
39 Reference 82 Content Servers
40 Global Religion 85 Domain Parking
42 Shopping 87 Personal Privacy
44 Society and Lifestyles 89 Auction
46 Sports

General Interest - Business

ID Category ID Category
31 Finance and Banking 52 Information Technology
41 Search Engines and Portals 53 Armed Forces
43 General Organizations 56 Web Hosting
49 Business 81 Secure Websites
50 Information and Computer Security 84 Web-based Applications
51 Government and Legal Organizations

Local categories

Users can define custom or local categories. See Overriding FortiGuard Website Categorization for details.

FortiGuard web filtering usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

note icon The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required. Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

  1. Category
  2. Category group

FortiGuard Web Filtering

FortiGuard Web Filtering is a managed web filtering solution available by subscription from Fortinet. Before you begin to use the FortiGuard Web Filtering options, verify that you have a valid subscription to the service for your FortiGate firewall.

FortiGuard Web Filtering enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface. FortiGuard Web Filtering supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).

FortiGuard Web Filtering includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filtering Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

FortiGuard web filtering and your FortiGate unit

When FortiGuard Web Filtering is enabled in a web filter or a DNS filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard web filtering actions

The possible actions are:

  • Allow permits access to the sites within the category.
  • Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
  • Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
  • Warning presents the user with a message, allowing them to continue if they choose.
  • Authenticate requires a user to authenticate with the FortiGate unit before being allowed access to the category or category group.

The actions available depend on the inspection mode.

  • Proxy - Allow, Block, Monitor, Warning, Authenticate, or Disable.
  • Flow-based, policy-based - Allow, Block, or Monitor.
  • Flow-based, profile-based - Accept or Deny. (In this mode, you configure web filtering by adding FortiGuard web filtering categories to a firewall policy without configuring a web filtering profile. The web filtering actions become the accept or deny firewall policy actions.)

note icon

Configuring Web Filter profiles in flow-mode is different depending on the NGFW mode selected.

Web filtering flowchart

FortiGuard web filtering categories

The following tables identify each FortiGuard web filtering category (organized by group) along with associated category IDs. You can access the current list of category IDs through the CLI.

config webfilter profile

edit default

config ftgd-wf

config filters

edit 1

set category ?

For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter/categories.

Potentially Liable

ID Category ID Category
1 Drug Abuse 12 Extremist Groups
3 Hacking 59 Proxy Avoidance
4 Illegal or Unethical 62 Plagiarism
5 Discrimination 83 Child Abuse
6 Explicit Violence

Adult/Mature Content

ID Category ID Category
2 Alternative Beliefs 16 Weapons (Sales)
7 Abortion 57 Marijuana
8 Other Adult Materials 63 Sex Education
9 Advocacy Organizations 64 Alcohol
11 Gambling 65 Tobacco
13 Nudity and Risque 66 Lingerie and Swimsuit
14 Pornography 67 Sports Hunting and War Games
15 Dating

Bandwidth Consuming

ID Category ID Category
19 Freeware and Software Downloads 72 Peer-to-peer File Sharing
24 File Sharing and Storage 75 Internet Radio and TV
25 Streaming Media and Download 76 Internet Telephony

Security Risk

ID Category ID Category
26 Malicious Websites 86 Spam URLs
61 Phishing 88 Dynamic DNS
Newly Observed Domain Newly Registered Domain

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

General Interest - Personal

ID Category ID Category
17 Advertising 47 Travel
18 Brokerage and Trading 48 Personal Vehicles
20 Games 54 Dynamic Content
23 Web-based Email 55 Meaningless Content
28 Entertainment 58 Folklore
29 Arts and Culture 68 Web Chat
30 Education 69 Instant Messaging
33 Health and Wellness 70 Newsgroups and Message Boards
34 Job Search 71 Digital Postcards
35 Medicine 77 Child Education
36 News and Media 78 Real Estate
37 Social Networking 79 Restaurant and Dining
38 Political Organizations 80 Personal Websites and Blogs
39 Reference 82 Content Servers
40 Global Religion 85 Domain Parking
42 Shopping 87 Personal Privacy
44 Society and Lifestyles 89 Auction
46 Sports

General Interest - Business

ID Category ID Category
31 Finance and Banking 52 Information Technology
41 Search Engines and Portals 53 Armed Forces
43 General Organizations 56 Web Hosting
49 Business 81 Secure Websites
50 Information and Computer Security 84 Web-based Applications
51 Government and Legal Organizations

Local categories

Users can define custom or local categories. See Overriding FortiGuard Website Categorization for details.

FortiGuard web filtering usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

note icon The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required. Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

  1. Category
  2. Category group