FortiGuard Web Filtering
FortiGuard Web Filtering is a managed web filtering solution available by subscription from Fortinet. Before you begin to use the FortiGuard Web Filtering options, verify that you have a valid subscription to the service for your FortiGate firewall.
FortiGuard Web Filtering enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface. FortiGuard Web Filtering supports detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).
FortiGuard Web Filtering includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.
FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filtering Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.
FortiGuard web filtering and your FortiGate unit
When FortiGuard Web Filtering is enabled in a web filter or a DNS filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.
FortiGuard web filtering actions
The possible actions are:
- Allow permits access to the sites within the category.
- Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
- Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
- Warning presents the user with a message, allowing them to continue if they choose.
- Authenticate requires a user to authenticate with the FortiGate unit before being allowed access to the category or category group.
The actions available depend on the inspection mode.
- Proxy - Allow, Block, Monitor, Warning, Authenticate, or Disable.
- Flow-based, policy-based - Allow, Block, or Monitor.
- Flow-based, profile-based - Accept or Deny. (In this mode, you configure web filtering by adding FortiGuard web filtering categories to a firewall policy without configuring a web filtering profile. The web filtering actions become the accept or deny firewall policy actions.)
|
Configuring Web Filter profiles in flow-mode is different depending on the NGFW mode selected. |
Web filtering flowchart
FortiGuard web filtering categories
The following tables identify each FortiGuard web filtering category (organized by group) along with associated category IDs. You can access the current list of category IDs through the CLI.
config webfilter profile
edit default
config ftgd-wf
config filters
edit 1
set category ?
For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter/categories.
Potentially Liable
ID | Category | ID | Category | |
---|---|---|---|---|
1 | Drug Abuse | 12 | Extremist Groups | |
3 | Hacking | 59 | Proxy Avoidance | |
4 | Illegal or Unethical | 62 | Plagiarism | |
5 | Discrimination | 83 | Child Abuse | |
6 | Explicit Violence |
Adult/Mature Content
ID | Category | ID | Category | |
---|---|---|---|---|
2 | Alternative Beliefs | 16 | Weapons (Sales) | |
7 | Abortion | 57 | Marijuana | |
8 | Other Adult Materials | 63 | Sex Education | |
9 | Advocacy Organizations | 64 | Alcohol | |
11 | Gambling | 65 | Tobacco | |
13 | Nudity and Risque | 66 | Lingerie and Swimsuit | |
14 | Pornography | 67 | Sports Hunting and War Games | |
15 | Dating |
Bandwidth Consuming
ID | Category | ID | Category | |
---|---|---|---|---|
19 | Freeware and Software Downloads | 72 | Peer-to-peer File Sharing | |
24 | File Sharing and Storage | 75 | Internet Radio and TV | |
25 | Streaming Media and Download | 76 | Internet Telephony |
Security Risk
ID | Category | ID | Category | |
---|---|---|---|---|
26 | Malicious Websites | 86 | Spam URLs | |
61 | Phishing | 88 | Dynamic DNS | |
Newly Observed Domain | Newly Registered Domain |
Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.
Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.
General Interest - Personal
ID | Category | ID | Category | |
---|---|---|---|---|
17 | Advertising | 47 | Travel | |
18 | Brokerage and Trading | 48 | Personal Vehicles | |
20 | Games | 54 | Dynamic Content | |
23 | Web-based Email | 55 | Meaningless Content | |
28 | Entertainment | 58 | Folklore | |
29 | Arts and Culture | 68 | Web Chat | |
30 | Education | 69 | Instant Messaging | |
33 | Health and Wellness | 70 | Newsgroups and Message Boards | |
34 | Job Search | 71 | Digital Postcards | |
35 | Medicine | 77 | Child Education | |
36 | News and Media | 78 | Real Estate | |
37 | Social Networking | 79 | Restaurant and Dining | |
38 | Political Organizations | 80 | Personal Websites and Blogs | |
39 | Reference | 82 | Content Servers | |
40 | Global Religion | 85 | Domain Parking | |
42 | Shopping | 87 | Personal Privacy | |
44 | Society and Lifestyles | 89 | Auction | |
46 | Sports |
General Interest - Business
ID | Category | ID | Category | |
---|---|---|---|---|
31 | Finance and Banking | 52 | Information Technology | |
41 | Search Engines and Portals | 53 | Armed Forces | |
43 | General Organizations | 56 | Web Hosting | |
49 | Business | 81 | Secure Websites | |
50 | Information and Computer Security | 84 | Web-based Applications | |
51 | Government and Legal Organizations |
Local categories
Users can define custom or local categories. See Overriding FortiGuard Website Categorization for details.
FortiGuard web filtering usage quotas
In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, calculated separately for each user. Quotas are reset every day at midnight.
Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity-based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.
The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required. Editing the web filter profile resets the quota timers for all users. |
When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.
Quota hierarchy
You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.
When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:
- Category
- Category group