Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.7 Administration Guide
    7.2.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Advanced filters 2

    Advanced filters 2

    This topic gives examples of the following advanced filter features:

    Note

    These advanced filters are only available in proxy-based inspection mode.

    Safe search

    This setting applies to popular search sites and prevents explicit websites and images from appearing in search results.

    The supported search sites are:

    • Google

    • Yahoo

    • Bing

    • Yandex

    To enable safe search in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

    3. Click OK.

    To enable safe search in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set safe-search url header
        end
    next
end

    Restrict YouTube access

    The Restrict YouTube access setting in the video filter profile adds the HTTP header YouTube-Restrict: Strict or YouTube-Restrict: Moderate into the HTTP request when enabled. When YouTube reads this header, it applies the appropriate content restriction based on the selected mode. YouTube Restricted Mode is an optional setting that filters out potentially mature videos while leaving a large number of videos still available (see Restrict YouTube content available to users and Manage your organization's YouTube settings for more information). Google defines the restricted YouTube access modes as follows:

    • Strict Restricted YouTube access: this setting is the most restrictive. Strict Restricted Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.

    • Moderate Restricted YouTube access: this setting is similar to Strict Restricted Mode but makes a much larger collection of videos available.

    To restrict YouTube access in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Restrict YouTube Access and select either Strict or Moderate.

    3. Click OK.

    To restrict YouTube access in the CLI:
    config webfilter profile
    edit <name>
        config web
            set set youtube-restrict {none | strict | moderate}
        end
    next 
end

    Vimeo access

    The file filter profile includes a setting to restrict Vimeo access, which can only be configured in the CLI.

    To restrict Vimeo access:
    config webfilter profile
    edit <name>
        config web
            set vimeo-restrict {7 | 134}
        end
    next 
end

    vimeo-restrict {7 | 134}

    Set the Vimeo restriction:

    • 7: do not show mature content
    • 134: do not show unrated and mature content

    Log all search keywords

    Use this setting to log all search phrases.

    To enable logging search keywords in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Log all search keywords.

    3. Click OK.

    To enable logging search keywords in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

    Restrict Google account usage to specific domains

    Use this setting to block access to certain Google accounts and services, while allowing access to accounts with domains in the exception list.

    To enable Google account restriction:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Proxy Options section, enable Restrict Google account usage to specific domains.

    3. Click the + and enter the domains that Google can access, such as www.fortinet.com.

    4. Click OK.

    When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

    HTTP POST action

    Use this setting to select the action to take with HTTP POST traffic. HTTP POST is the command used by the browser when you send information, such as a completed form or a file you are uploading to a web server. The action options are allow or block. The default is allow.

    To configure HTTP POST in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Proxy Options section, for HTTP POST Action, select Allow or Block.

    3. Click OK.

    To configure HTTP POST in the CLI:
    config webfilter profile
    edit "webfilter"
        set post-action {normal | block}
        config ftgd-wf
            unset options
        end
    next
end

    Remove Java applets, ActiveX, and cookies

    Web filter profiles have settings to filter Java applets, ActiveX, and cookies from web traffic. Note that if these filters are enabled, websites using Java applets, ActiveX, and cookies might not function properly.

    To enable these filters in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile. and go to the Proxy Options section.

    2. In the Proxy Options section, enabled the filters you want to use: Remove Java Applets, Remove ActiveX, or Remove Cookies.

    To enable these filters in the CLI:
    config webfilter profile
   edit "webfilter"
      set options {activexfilter cookiefilter javafilter} 
      config ftgd-wf
         unset options
      end
   next
end
    Previous
    Next

    Advanced filters 2

    Advanced filters 2

    This topic gives examples of the following advanced filter features:

    Note

    These advanced filters are only available in proxy-based inspection mode.

    Safe search

    This setting applies to popular search sites and prevents explicit websites and images from appearing in search results.

    The supported search sites are:

    • Google

    • Yahoo

    • Bing

    • Yandex

    To enable safe search in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

    3. Click OK.

    To enable safe search in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set safe-search url header
        end
    next
end

    Restrict YouTube access

    The Restrict YouTube access setting in the video filter profile adds the HTTP header YouTube-Restrict: Strict or YouTube-Restrict: Moderate into the HTTP request when enabled. When YouTube reads this header, it applies the appropriate content restriction based on the selected mode. YouTube Restricted Mode is an optional setting that filters out potentially mature videos while leaving a large number of videos still available (see Restrict YouTube content available to users and Manage your organization's YouTube settings for more information). Google defines the restricted YouTube access modes as follows:

    • Strict Restricted YouTube access: this setting is the most restrictive. Strict Restricted Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.

    • Moderate Restricted YouTube access: this setting is similar to Strict Restricted Mode but makes a much larger collection of videos available.

    To restrict YouTube access in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Restrict YouTube Access and select either Strict or Moderate.

    3. Click OK.

    To restrict YouTube access in the CLI:
    config webfilter profile
    edit <name>
        config web
            set set youtube-restrict {none | strict | moderate}
        end
    next 
end

    Vimeo access

    The file filter profile includes a setting to restrict Vimeo access, which can only be configured in the CLI.

    To restrict Vimeo access:
    config webfilter profile
    edit <name>
        config web
            set vimeo-restrict {7 | 134}
        end
    next 
end

    vimeo-restrict {7 | 134}

    Set the Vimeo restriction:

    • 7: do not show mature content
    • 134: do not show unrated and mature content

    Log all search keywords

    Use this setting to log all search phrases.

    To enable logging search keywords in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Search Engines section, enable Log all search keywords.

    3. Click OK.

    To enable logging search keywords in the CLI:
    config webfilter profile
    edit "webfilter"
        config web
            set log-search enable
        end
    next
end

    Restrict Google account usage to specific domains

    Use this setting to block access to certain Google accounts and services, while allowing access to accounts with domains in the exception list.

    To enable Google account restriction:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Proxy Options section, enable Restrict Google account usage to specific domains.

    3. Click the + and enter the domains that Google can access, such as www.fortinet.com.

    4. Click OK.

    When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

    HTTP POST action

    Use this setting to select the action to take with HTTP POST traffic. HTTP POST is the command used by the browser when you send information, such as a completed form or a file you are uploading to a web server. The action options are allow or block. The default is allow.

    To configure HTTP POST in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

    2. In the Proxy Options section, for HTTP POST Action, select Allow or Block.

    3. Click OK.

    To configure HTTP POST in the CLI:
    config webfilter profile
    edit "webfilter"
        set post-action {normal | block}
        config ftgd-wf
            unset options
        end
    next
end

    Remove Java applets, ActiveX, and cookies

    Web filter profiles have settings to filter Java applets, ActiveX, and cookies from web traffic. Note that if these filters are enabled, websites using Java applets, ActiveX, and cookies might not function properly.

    To enable these filters in the GUI:

    1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile. and go to the Proxy Options section.

    2. In the Proxy Options section, enabled the filters you want to use: Remove Java Applets, Remove ActiveX, or Remove Cookies.

    To enable these filters in the CLI:
    config webfilter profile
   edit "webfilter"
      set options {activexfilter cookiefilter javafilter} 
      config ftgd-wf
         unset options
      end
   next
end
    Previous
    Next