Fortinet black logo

Handbook

Advanced configurations

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:200457
Download PDF

Advanced configurations

Allow websites when a rating error occurs

Enable this setting to allow access to web pages that return a rating error from the FortiGuard Web Filter service.

If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines the tye of access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

ActiveX filter

Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.

Block Invalid URLs

Select to block web sites when their SSL certificate CN field does not contain a valid domain name.

FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:

  • If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
  • If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.

caution icon

Enabling the Web Filter profile to block a particular category and enabling the Application Control profile will not result in blocking the URL. This occurs because proxy and flow-based profiles cannot operate together. To ensure replacement messages show up for blocked URLs, switch the Web Filter to flow-based inspection.

Cookie filter

Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.

Provide Details for Blocked HTTP 4xx and 5xx Errors

Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.

HTTP POST action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

The available actions are:

Allow

Allow the HTTP POST command.

Block

Block the HTTP POST command. This will limit users from sending information and files to web sites.

When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.

Java applet filter

Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.

Rate Images by URL

Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.

Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.

Rate URLs by Domain and IP Address

Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.

note icon

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.

Web resume download block

Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.

This prevents the unintentional download of viruses hidden in fragmented files.

Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.

Restrict Google account usage to specific domains

This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.

Block non-English character URLs

The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.

Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ที่นี่-ไม่มีเศษรัฐประหารให้ใครแดก/338419686287505?ref=stream).

On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0%B9%88-%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%A1%E0%B8%B5%E0%B9%80%E0%B8%A8%E0%B8%A9%E0%B8%A3%E0%B8%B1%E0%B8%90%E0%B8%9B%E0%B8%A3%E0%B8%B0%E0%B8%AB%E0%B8%B2%E0%B8%A3%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B9%83%E0%B8%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream).

Once added, further browsing to the URL will result in a blocked page.

CLI Syntax

config webfilter urlfilter

edit 1

set name "block_international_character_urls"

config entries

edit 1

set url "www.fortinet.com/pages/2.710850E-3120%B8%E0%B8%B53.231533E-3170%B9%E0%B8%E0%B8%B53.231533E-3170%B9%88-3.230415E-3170%B9%E0%B80X0.000000063CD94P-102211.482197E-3230%B9%E0%B80X0.0007FBFFFFCFP-102210.000000E+000%B8%B51.828043E-3210%B9%E0%B80X0P+081.828043E-3210%B80X0P+092.710850E-3120%B80X0.0000000407ED2P-102233.236834E-3170%B8%B19.036536E-3130%B8%E0%B8%9B4.247222E-3140%B80X0P+039.036683E-3130%B8%B02.121996E-3130%B80X0.0000000000008P-1022B2.710850E-3120%B8%B21.482197E-3230%B80X0P+030.000000E+000%B9%E0%B80X0P+0B2.710850E-3120%B9%E0%B9%E0%B8%E0%B80X0.0000000408355P-102232.023693E-3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream"

set action block

next

end

next

end

config webfilter urlfilter

edit 2

set name "block_international_character_urls"

next

end

config webfilter profile

edit "block_international_character_urls"

next

end

config firewall policy

edit 3

set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8

set srcintf "port1"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set webfilter-profile "block_international_character_urls"

set profile-protocol-options "default"

set ssl-ssh-profile "certificate-inspection"

set nat enable

next

end

Websense web filtering through WISP

WISP is a Websense protocol that allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a FortiGate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Configuring the WISP server

In order to use WebSense's web filtering service, a WISP server per VDOM must be defined and enabled first.

config web-proxy wisp
    edit {name}
    # Configure Wireless Internet service provider (WISP) servers.
        set name {string}   Server name. size[35]
        set comment {string}   Comment. size[255]
        set outgoing-ip {ipv4 address any}   WISP outgoing IP address.
        set server-ip {ipv4 address any}   WISP server IP address.
        set server-port {integer}   WISP server port (1 - 65535, default = 15868). range[1-65535]
        set max-connections {integer}   Maximum number of web proxy WISP connections (4 - 4096, default = 64). range[4-4096]
        set timeout {integer}   Period of time before WISP requests time out (1 - 15 sec, default = 5). range[1-15]
    next
end

Example configuration

config web-proxy wisp

edit 0

set outgoing-ip 0.0.0.0

set server-ip 0.0.0.0

set server-port 15868

set max-connections 64

set timeout 5

next

end

After configuring the WISP server, enable WISP in the web filter profile.

config webfilter profile

edit "wisp_only"

set wisp enable

set wisp-servers 0

next

end

Now you can apply the web filter profile to a firewall policy.

If you configure more than one WISP server, the load balance option can also be configured.

config webfilter profile

edit "wisp_only"

set wisp-algorithm {primary-secondary | round-robin | auto-learning}

next

end

The options for the wisp-algorithm are:

  • primary-secondary: select the first healthy server in order
  • round-robin: select the next healthy server
  • auto-learning select the lightest loading healthy server

Advanced configurations

Allow websites when a rating error occurs

Enable this setting to allow access to web pages that return a rating error from the FortiGuard Web Filter service.

If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines the tye of access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

ActiveX filter

Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.

Block Invalid URLs

Select to block web sites when their SSL certificate CN field does not contain a valid domain name.

FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:

  • If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
  • If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.

caution icon

Enabling the Web Filter profile to block a particular category and enabling the Application Control profile will not result in blocking the URL. This occurs because proxy and flow-based profiles cannot operate together. To ensure replacement messages show up for blocked URLs, switch the Web Filter to flow-based inspection.

Cookie filter

Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.

Provide Details for Blocked HTTP 4xx and 5xx Errors

Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.

HTTP POST action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

The available actions are:

Allow

Allow the HTTP POST command.

Block

Block the HTTP POST command. This will limit users from sending information and files to web sites.

When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.

Java applet filter

Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.

Rate Images by URL

Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.

Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.

Rate URLs by Domain and IP Address

Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.

note icon

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.

Web resume download block

Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.

This prevents the unintentional download of viruses hidden in fragmented files.

Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.

Restrict Google account usage to specific domains

This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.

Block non-English character URLs

The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.

Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ที่นี่-ไม่มีเศษรัฐประหารให้ใครแดก/338419686287505?ref=stream).

On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0%B9%88-%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%A1%E0%B8%B5%E0%B9%80%E0%B8%A8%E0%B8%A9%E0%B8%A3%E0%B8%B1%E0%B8%90%E0%B8%9B%E0%B8%A3%E0%B8%B0%E0%B8%AB%E0%B8%B2%E0%B8%A3%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B9%83%E0%B8%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream).

Once added, further browsing to the URL will result in a blocked page.

CLI Syntax

config webfilter urlfilter

edit 1

set name "block_international_character_urls"

config entries

edit 1

set url "www.fortinet.com/pages/2.710850E-3120%B8%E0%B8%B53.231533E-3170%B9%E0%B8%E0%B8%B53.231533E-3170%B9%88-3.230415E-3170%B9%E0%B80X0.000000063CD94P-102211.482197E-3230%B9%E0%B80X0.0007FBFFFFCFP-102210.000000E+000%B8%B51.828043E-3210%B9%E0%B80X0P+081.828043E-3210%B80X0P+092.710850E-3120%B80X0.0000000407ED2P-102233.236834E-3170%B8%B19.036536E-3130%B8%E0%B8%9B4.247222E-3140%B80X0P+039.036683E-3130%B8%B02.121996E-3130%B80X0.0000000000008P-1022B2.710850E-3120%B8%B21.482197E-3230%B80X0P+030.000000E+000%B9%E0%B80X0P+0B2.710850E-3120%B9%E0%B9%E0%B8%E0%B80X0.0000000408355P-102232.023693E-3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream"

set action block

next

end

next

end

config webfilter urlfilter

edit 2

set name "block_international_character_urls"

next

end

config webfilter profile

edit "block_international_character_urls"

next

end

config firewall policy

edit 3

set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8

set srcintf "port1"

set dstintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set webfilter-profile "block_international_character_urls"

set profile-protocol-options "default"

set ssl-ssh-profile "certificate-inspection"

set nat enable

next

end

Websense web filtering through WISP

WISP is a Websense protocol that allows for URLs to be extracted by a firewall and submitted to Websense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a FortiGate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Configuring the WISP server

In order to use WebSense's web filtering service, a WISP server per VDOM must be defined and enabled first.

config web-proxy wisp
    edit {name}
    # Configure Wireless Internet service provider (WISP) servers.
        set name {string}   Server name. size[35]
        set comment {string}   Comment. size[255]
        set outgoing-ip {ipv4 address any}   WISP outgoing IP address.
        set server-ip {ipv4 address any}   WISP server IP address.
        set server-port {integer}   WISP server port (1 - 65535, default = 15868). range[1-65535]
        set max-connections {integer}   Maximum number of web proxy WISP connections (4 - 4096, default = 64). range[4-4096]
        set timeout {integer}   Period of time before WISP requests time out (1 - 15 sec, default = 5). range[1-15]
    next
end

Example configuration

config web-proxy wisp

edit 0

set outgoing-ip 0.0.0.0

set server-ip 0.0.0.0

set server-port 15868

set max-connections 64

set timeout 5

next

end

After configuring the WISP server, enable WISP in the web filter profile.

config webfilter profile

edit "wisp_only"

set wisp enable

set wisp-servers 0

next

end

Now you can apply the web filter profile to a firewall policy.

If you configure more than one WISP server, the load balance option can also be configured.

config webfilter profile

edit "wisp_only"

set wisp-algorithm {primary-secondary | round-robin | auto-learning}

next

end

The options for the wisp-algorithm are:

  • primary-secondary: select the first healthy server in order
  • round-robin: select the next healthy server
  • auto-learning select the lightest loading healthy server