Fortinet black logo

Administration Guide

URL Scan Flow

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:149861
Download PDF

URL Scan Flow

After a URL is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Static Scan

    In this step, the URL is checked against the user uploaded White/Black list and the Overridden Verdicts list.

  2. Sandboxing Scan

    If WEBLink is associated with a VM type as defined in the Scan Profile page > VM Association tab, the URL will be scanned inside a clone of that VM type. If the URL type is enabled with the sandboxing pre-filtering command, only URLs whose webfiltering category is UNRATED will be scanned inside a VM. For more information, please refer to the FortiSandbox CLI Guide, for the sandboxing-prefiltering command.

During the Static Scan step, URLs will be checked against the user uploaded white list and black list in this order, and rated as Clean or Malicious respectively: URL REGEX black list > URL black list > Domain black list > URL REGEX white list > URL white List > Domain white list. For example, if users enter *.microsoft.com in the domain white list and http://www.microsoft.com/.*abc/bad.html in the URL black list, URL http://www.microsoft.com/1abc/bad.html will be rated as Malicious.

URL Scan Flow

After a URL is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Static Scan

    In this step, the URL is checked against the user uploaded White/Black list and the Overridden Verdicts list.

  2. Sandboxing Scan

    If WEBLink is associated with a VM type as defined in the Scan Profile page > VM Association tab, the URL will be scanned inside a clone of that VM type. If the URL type is enabled with the sandboxing pre-filtering command, only URLs whose webfiltering category is UNRATED will be scanned inside a VM. For more information, please refer to the FortiSandbox CLI Guide, for the sandboxing-prefiltering command.

During the Static Scan step, URLs will be checked against the user uploaded white list and black list in this order, and rated as Clean or Malicious respectively: URL REGEX black list > URL black list > Domain black list > URL REGEX white list > URL white List > Domain white list. For example, if users enter *.microsoft.com in the domain white list and http://www.microsoft.com/.*abc/bad.html in the URL black list, URL http://www.microsoft.com/1abc/bad.html will be rated as Malicious.