Fortinet white logo
Fortinet white logo

Administration Guide

FortiGuard filter

FortiGuard filter

The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.

The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

To use this service, you must have a valid FortiGuard license.

The following actions are available:

FortiGuard web filter action

Description

Allow

Permit access to the sites in the category.

Monitor

Permit and log access to sites in the category. User quotas can be enabled for this option (see Category usage quota).

Block

Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked.

Warning

Display a message to the user allowing them to continue if they choose.

Authenticate

Require the user to authenticate with the FortiGate before allowing access to the category or category group.

Disable

Remove the category from the from the web filter profile.

This option is only available for local or remote categories from the right-click menu.

FortiGuard web filter categories

FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:

FortiGuard web filter category

Where to find more information

All URL categories

See Web Filter Categories.

Local categories

See Web rating override.

Remote category

See Threat feeds.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.

Blocking a web category

The following example shows how to block a website based on its category. The Information Technology category (category 52) will be blocked.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Block.

  3. Configure the remaining settings as needed.

  4. Click OK.

To block a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action block
                next
            end
        end
    next
end
Note

You can use the get webfilter categories command to determine the web filtering category that corresponds to a given category ID.

To verify that the category is blocked:
  1. Go to a website that belongs to the blocked category, such as www.fortinet.com.

    The page should be blocked and display a replacement message.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Security Events.

  2. Click the Web Filter card name.

  3. Select an entry with blocked in the Action column and click Details.

To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter
# execute log display

4: date=2023-08-08 time=13:25:31 eventtime=1691526331836645153 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="4a4b9d00-e471-51ed-71ec-c1a3bc8f773c" policytype="policy" sessionid=254529 srcip=1.1.1.2 srcport=60836 srccountry="Australia" srcintf="internal7" srcintfrole="lan" srcuuid="45eec070-e471-51ed-4b1c-930f37c5d882" dstip=44.240.173.227 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="45eec070-e471-51ed-4b1c-930f37c5d882" proto=6 service="HTTPS" hostname="www.fortinet.com" profile="default" action="blocked" reqtype="direct" url="https://www.fortinet.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

Allowing users to override blocked categories

There is an option to allow users with valid credentials to override blocked categories.

To allow users to override blocked categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. Enable Allow users to override blocked categories.

  3. Enter information in the following fields:

    Groups that can override

    Add the user group that will be allowed to override.

    Profile Name

    Add the web filter profile the overridden group will use. This cannot be the same profile as its own.

    Switch applies to

    Select User, User Groups, IP, or Ask.

    Switch Duration

    Select either Predefined to specify a duration, or Ask for user input.

  4. Configure the other settings as needed.

    Click Allow users to override blocked categories

  5. Click OK.

To allow users to override blocked categories in the CLI:
config webfilter profile
    edit "webfilter"
        set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
        config override
            set ovrd-user-group "radius_group"
            set profile "webfilter"
        end
        config ftgd-wf
            unset options
        end
    next
end

Issuing a warning on a web category

The following example shows how to issue a warning when a user visits a website in a specific category (Information Technology, category 52).

To configure a warning for a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Warning.

  3. Set the Warning Interval, then click OK.

    The warning interval is the amount of time until the warning appears again after the user proceeds past it.

  4. Configure the remaining settings as needed.

  5. Click OK.

To configure a warning for a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning
                next
            end
        end
    next
end
To verify that the warning works:
  1. Go to a website that belongs to the category, such as www.fortinet.com.

  2. On the warning page, click Proceed or Go Back.

Authenticating a web category

The following example shows how to authenticate a website based on its category (Information Technology, category 52).

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Authenticate.

  3. Set the Warning Interval and select one or more user groups, then click OK.

  4. Configure the remaining settings as needed.

  5. Click OK.

To authenticate a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action authenticate
                    set auth-usr-grp "local_group"
                next
            end
        end
    next
end
To verify that you have configured authentication:
  1. Go to a website that belongs to the category, such as www.fortinet.com.

  2. On the warning page, click Proceed.

  3. Enter the username and password for the configured user group, then click Continue.

Customizing the replacement message page

When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.

To customize the replacement message page:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.

  2. In the FortiGuard category based filter section, right-click on a category and select Customize.

  3. Select a Replacement Message Group. See Replacement message groups for details.

  4. Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.

  5. Click Save.

  6. Configure the remaining settings as needed.

  7. Click OK.

Customizing the CA certificate

When accessing a HTTPS webpage, in order to intercept the connection and perform an override, warning, or authentication, the connection must be proxied and the warning and/or authentication page must be signed with FortiGate’s CA certificate. The client accessing the page must trust the CA in order to avoid certificate errors while browsing.

Note

When applying the web filter profile to a firewall policy, an SSL inspection profile must also be selected.

To apply a custom certificate to the SSL inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection and click Create New, or edit an existing profile.

  2. Under SSL Inspection Options, set CA certificate to the desired custom CA certificate.

  3. Click OK.

  4. On the client endpoints, ensure this custom CA is trusted.

To apply a custom certificate to the SSL inspection profile in the CLI:
config firewall ssl-ssh-profile
    edit <name>
        set caname <custom_CA_certificate>
    next
end

Related Videos

sidebar video

Flow Mode Webfilter Support (Warning/Authenticate/Override)

  • 2,029 views
  • 5 years ago

More Links

FortiGuard filter

FortiGuard filter

The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.

The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

To use this service, you must have a valid FortiGuard license.

The following actions are available:

FortiGuard web filter action

Description

Allow

Permit access to the sites in the category.

Monitor

Permit and log access to sites in the category. User quotas can be enabled for this option (see Category usage quota).

Block

Prevent access to the sites in the category. Users trying to access a blocked site see a replacement message indicating the site is blocked.

Warning

Display a message to the user allowing them to continue if they choose.

Authenticate

Require the user to authenticate with the FortiGate before allowing access to the category or category group.

Disable

Remove the category from the from the web filter profile.

This option is only available for local or remote categories from the right-click menu.

FortiGuard web filter categories

FortiGuard has many web filter categories, including two local categories and a special remote category. Refer to the following table for more information:

FortiGuard web filter category

Where to find more information

All URL categories

See Web Filter Categories.

Local categories

See Web rating override.

Remote category

See Threat feeds.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of the local category and not the external or FortiGuard built-in category.

Blocking a web category

The following example shows how to block a website based on its category. The Information Technology category (category 52) will be blocked.

To block a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Block.

  3. Configure the remaining settings as needed.

  4. Click OK.

To block a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action block
                next
            end
        end
    next
end
Note

You can use the get webfilter categories command to determine the web filtering category that corresponds to a given category ID.

To verify that the category is blocked:
  1. Go to a website that belongs to the blocked category, such as www.fortinet.com.

    The page should be blocked and display a replacement message.

To view the log of a blocked website in the GUI:
  1. Go to Log & Report > Security Events.

  2. Click the Web Filter card name.

  3. Select an entry with blocked in the Action column and click Details.

To view the log of a blocked website in the CLI:
# execute log filter category utm-webfilter
# execute log display

4: date=2023-08-08 time=13:25:31 eventtime=1691526331836645153 tz="-0700" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="4a4b9d00-e471-51ed-71ec-c1a3bc8f773c" policytype="policy" sessionid=254529 srcip=1.1.1.2 srcport=60836 srccountry="Australia" srcintf="internal7" srcintfrole="lan" srcuuid="45eec070-e471-51ed-4b1c-930f37c5d882" dstip=44.240.173.227 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="45eec070-e471-51ed-4b1c-930f37c5d882" proto=6 service="HTTPS" hostname="www.fortinet.com" profile="default" action="blocked" reqtype="direct" url="https://www.fortinet.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

Allowing users to override blocked categories

There is an option to allow users with valid credentials to override blocked categories.

To allow users to override blocked categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. Enable Allow users to override blocked categories.

  3. Enter information in the following fields:

    Groups that can override

    Add the user group that will be allowed to override.

    Profile Name

    Add the web filter profile the overridden group will use. This cannot be the same profile as its own.

    Switch applies to

    Select User, User Groups, IP, or Ask.

    Switch Duration

    Select either Predefined to specify a duration, or Ask for user input.

  4. Configure the other settings as needed.

    Click Allow users to override blocked categories

  5. Click OK.

To allow users to override blocked categories in the CLI:
config webfilter profile
    edit "webfilter"
        set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
        config override
            set ovrd-user-group "radius_group"
            set profile "webfilter"
        end
        config ftgd-wf
            unset options
        end
    next
end

Issuing a warning on a web category

The following example shows how to issue a warning when a user visits a website in a specific category (Information Technology, category 52).

To configure a warning for a category in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Warning.

  3. Set the Warning Interval, then click OK.

    The warning interval is the amount of time until the warning appears again after the user proceeds past it.

  4. Configure the remaining settings as needed.

  5. Click OK.

To configure a warning for a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action warning
                next
            end
        end
    next
end
To verify that the warning works:
  1. Go to a website that belongs to the category, such as www.fortinet.com.

  2. On the warning page, click Proceed or Go Back.

Authenticating a web category

The following example shows how to authenticate a website based on its category (Information Technology, category 52).

To authenticate a category in the GUI:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.

  2. In the FortiGuard category based filter section, select Information Technology, then click Authenticate.

  3. Set the Warning Interval and select one or more user groups, then click OK.

  4. Configure the remaining settings as needed.

  5. Click OK.

To authenticate a category in the CLI:
config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set category 52
                    set action authenticate
                    set auth-usr-grp "local_group"
                next
            end
        end
    next
end
To verify that you have configured authentication:
  1. Go to a website that belongs to the category, such as www.fortinet.com.

  2. On the warning page, click Proceed.

  3. Enter the username and password for the configured user group, then click Continue.

Customizing the replacement message page

When the category action is Block, Warning, or Authenticate, you can customize the replacement message page that a user sees.

To customize the replacement message page:
  1. Go to Security Profiles > Web Filter and edit or create a new web filter profile.

  2. In the FortiGuard category based filter section, right-click on a category and select Customize.

  3. Select a Replacement Message Group. See Replacement message groups for details.

  4. Optionally, click Edit FortiGuard Block Page or Edit FortiGuard Warning Page to make modifications.

  5. Click Save.

  6. Configure the remaining settings as needed.

  7. Click OK.

Customizing the CA certificate

When accessing a HTTPS webpage, in order to intercept the connection and perform an override, warning, or authentication, the connection must be proxied and the warning and/or authentication page must be signed with FortiGate’s CA certificate. The client accessing the page must trust the CA in order to avoid certificate errors while browsing.

Note

When applying the web filter profile to a firewall policy, an SSL inspection profile must also be selected.

To apply a custom certificate to the SSL inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection and click Create New, or edit an existing profile.

  2. Under SSL Inspection Options, set CA certificate to the desired custom CA certificate.

  3. Click OK.

  4. On the client endpoints, ensure this custom CA is trusted.

To apply a custom certificate to the SSL inspection profile in the CLI:
config firewall ssl-ssh-profile
    edit <name>
        set caname <custom_CA_certificate>
    next
end