Fortinet white logo
Fortinet white logo

Administration Guide

FortiGuard filter

FortiGuard filter

The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.

The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

To use this service, you must have a valid FortiGuard license.

The following actions are available:

FortiGuard web filter action

Description

Allow

Permit access to the sites in the category.

Monitor

Permit and log access to sites in the category. User quotas can be enabled for this option (see Usage quota).

Block

Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked.

Warning

Display a message to the user allowing them to continue if they choose.

Authenticate

Require the user to authenticate with the FortiGate before allowing access to the category or category group.

Disable

Remove the category from the from the web filter profile.

This option is only available for local or remote categories from the right-click menu.

FortiGuard web filter categories

FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:

FortiGuard web filter category

Where to find more information

All URL categories

See Web Filter Categories.

Local categories

See Web rating override.

Remote category

See Threat feeds.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.

Blocking a web category

The following example shows how to block a website based on its category. The information and computer security category (category 52) will be blocked.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Block.

  3. Configure the remaining settings as needed.
  4. Click OK.
To block a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action block
                next
            end
        end
    next
end
To verify that the category is blocked:
  1. Go to a website that belongs to the blocked category, such as www.fortinet.com.

    The page should be blocked and display a replacement message.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Web Filter.
  2. Select an entry with blocked in the Action column and click Details.
To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter
# execute log display

1: date=2019-04-22 time=13:46:25 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf="wan2" srcintfrole="wan" dstip=54.183.57.55 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" hostname="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=386 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology"

Allowing users to override blocked categories

There is an option to allow users with valid credentials to override blocked categories.

To allow users to override blocked categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. Enable Allow users to override blocked categories.
  3. Enter information in the following fields:
    • Groups that can override
    • Profile name
    • Switch applies to
    • Switch Duration
  4. Configure the other settings as needed.

    Click Allow users to override blocked categories

  5. Click OK.
To allow users to override blocked categories in the CLI:
config webfilter profile
    edit "webfilter"
        set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
        config override
            set ovrd-user-group "radius_group"
            set profile "webfilter"
        end
        config ftgd-wf
            unset options
        end
    next
end

Issuing a warning on a web category

The following example shows how to issue a warning when a user visits a website in a specific category (information and computer security, category 52).

To configure a warning for a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Warning.
  3. Set the Warning Interval, then click OK.

    The warning interval is the amount of time until the warning appears again after the user proceeds past it.

  4. Configure the remaining settings as needed.
  5. Click OK.
To configure a warning for a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning
                next
            end
        end
    next
end
To verify that the warning works:
  1. Go to a website that belongs to the category, such as www.fortinet.com.
  2. On the warning page, click Proceed or Go Back.

Authenticating a web category

The following example shows how to authenticate a website based on its category (information and computer security, category 52).

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Authenticate.
  3. Set the Warning Interval and select one or more user groups, then click OK.
  4. Configure the remaining settings as needed.
  5. Click OK.
To authenticate a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action authenticate
                    set auth-usr-grp "local_group"
                next
            end
        end
    next
end
To verify that you have configured authentication:
  1. Go to a website that belongs to the category, such as www.fortinet.com.
  2. On the warning page, click Proceed.

  3. Enter the username and password for the configured user group, then click Continue.

Customizing the replacement message page

When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.

To customize the replacement message page:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
  2. In the FortiGuard category based filter section, right-click on a category and select Customize.
  3. Select a Replacement Message Group. See Replacement message groups for details.
  4. Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.
  5. Click Save.
  6. Configure the remaining settings as needed.
  7. Click OK.

FortiGuard filter

FortiGuard filter

The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.

The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

To use this service, you must have a valid FortiGuard license.

The following actions are available:

FortiGuard web filter action

Description

Allow

Permit access to the sites in the category.

Monitor

Permit and log access to sites in the category. User quotas can be enabled for this option (see Usage quota).

Block

Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked.

Warning

Display a message to the user allowing them to continue if they choose.

Authenticate

Require the user to authenticate with the FortiGate before allowing access to the category or category group.

Disable

Remove the category from the from the web filter profile.

This option is only available for local or remote categories from the right-click menu.

FortiGuard web filter categories

FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:

FortiGuard web filter category

Where to find more information

All URL categories

See Web Filter Categories.

Local categories

See Web rating override.

Remote category

See Threat feeds.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.

Blocking a web category

The following example shows how to block a website based on its category. The information and computer security category (category 52) will be blocked.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Block.

  3. Configure the remaining settings as needed.
  4. Click OK.
To block a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action block
                next
            end
        end
    next
end
To verify that the category is blocked:
  1. Go to a website that belongs to the blocked category, such as www.fortinet.com.

    The page should be blocked and display a replacement message.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Web Filter.
  2. Select an entry with blocked in the Action column and click Details.
To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter
# execute log display

1: date=2019-04-22 time=13:46:25 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf="wan2" srcintfrole="wan" dstip=54.183.57.55 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" hostname="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=386 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology"

Allowing users to override blocked categories

There is an option to allow users with valid credentials to override blocked categories.

To allow users to override blocked categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. Enable Allow users to override blocked categories.
  3. Enter information in the following fields:
    • Groups that can override
    • Profile name
    • Switch applies to
    • Switch Duration
  4. Configure the other settings as needed.

    Click Allow users to override blocked categories

  5. Click OK.
To allow users to override blocked categories in the CLI:
config webfilter profile
    edit "webfilter"
        set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
        config override
            set ovrd-user-group "radius_group"
            set profile "webfilter"
        end
        config ftgd-wf
            unset options
        end
    next
end

Issuing a warning on a web category

The following example shows how to issue a warning when a user visits a website in a specific category (information and computer security, category 52).

To configure a warning for a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Warning.
  3. Set the Warning Interval, then click OK.

    The warning interval is the amount of time until the warning appears again after the user proceeds past it.

  4. Configure the remaining settings as needed.
  5. Click OK.
To configure a warning for a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning
                next
            end
        end
    next
end
To verify that the warning works:
  1. Go to a website that belongs to the category, such as www.fortinet.com.
  2. On the warning page, click Proceed or Go Back.

Authenticating a web category

The following example shows how to authenticate a website based on its category (information and computer security, category 52).

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
  2. In the FortiGuard category based filter section, select Information and Computer Security, then click Authenticate.
  3. Set the Warning Interval and select one or more user groups, then click OK.
  4. Configure the remaining settings as needed.
  5. Click OK.
To authenticate a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action authenticate
                    set auth-usr-grp "local_group"
                next
            end
        end
    next
end
To verify that you have configured authentication:
  1. Go to a website that belongs to the category, such as www.fortinet.com.
  2. On the warning page, click Proceed.

  3. Enter the username and password for the configured user group, then click Continue.

Customizing the replacement message page

When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.

To customize the replacement message page:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.
  2. In the FortiGuard category based filter section, right-click on a category and select Customize.
  3. Select a Replacement Message Group. See Replacement message groups for details.
  4. Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.
  5. Click Save.
  6. Configure the remaining settings as needed.
  7. Click OK.