Introduction to Web Filter

Web filtering is a means of controlling the content that an internet user is able to view. With the increased popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security.

This topic provides a general introduction to the Web Filter security profile. Additional information, such as the GUI and CLI configurations, can be found in subsequent topics.

Web Filter Configuration

Web Filter configuration can be separated into the following parts: Web Filterprofile configuration and Web Filter profile overrides.

There are five components to Web Filter configuration:

• URL filter: Block, allow, exempt, or monitor traffic by URL.
• FortiGuard filter: With a FortiGuard license, you can get the rating of a URL. Action can be taken against the packet based on its rating.
• Content filter: Block or exempt traffic by checking its content.
• File filter: Log or block a file based on its file type (e.g. ZIP, MP3, PNG). l Advanced filter

There are two different ways to override web filtering behavior based on FortiGuard categorization of websites:

• Using alternate categories: Web rating overrides. This method manually assigns a specific website to a different Fortinet category or a locally created category.
• Using alternate profiles: The traffic going through the FortiGate unit using identity based policies and a web filtering profile have the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

URL filter of webfilter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:

1. Go to Security Profiles > Web Filter and go to the Static URL Filter
2. Enable URL Filter.
3. Under URL Filter, select Create New to display the New URL Filter

For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

4. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter edit {id}

# Configure URL filter lists. set name {string} Name of URL filter list. size[35] config entries edit {id}

# URL filter entries. set url {string} URL to be filtered. size[511] set type {simple | regex | wildcard} Filter type (simple, regex, or wildcard).

simple    Simple URL string.

regex    Regular expression URL string.

wildcard Wildcard URL string.

set action {exempt | block | allow | monitor} Action to take for URL filter

matches. exempt Exempt matches. block      Block matches. allow   Allow matches (no log).

monitor Allow matches (with log).

set status {enable | disable} Enable/disable this URL filter.

set exempt {option} If action is set to exempt, select the security profile oper-

ations that exempt URLs skip. Separate multiple options with a space. av   AntiVirus scanning. web-content  Web filter content matching. activex-java-cookie ActiveX, Java, and cookie filtering. dlp   DLP scanning. fortiguard   FortiGuard web filtering. range-block Range block feature. pass  Pass single connection from all.

all                 Exempt from all security profiles.

set referrer-host {string} Referrer host name. size[255]

next

next

end

To create URL filter to filter Facebook using the CLI:

config webfilter urlfilter edit 1 set name “webfilter” config entries edit 1 set url “*facebook.com” set type wildcard set action block

next

end

next

end

To attach the URL filter to a webfilter profile:

config webfilter profile edit “webfilter”               <– the name of the webfilter profile config web set urlfilter-table 1 <– the URL filter created with ID number 1

end config ftgd-wf unset options

end

next

end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:

1. Go to Policy & Objects > IPv4 Policy.
2. Edit the policy that you want to enable the webfilter.
3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:

config firewall policy edit 1 set name “WF”

set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad

set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all

set webfilter-profile “webfilter”    <– attach the webfilter profile you just

created. set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:

1. Go to System > Replacement Messages.
2. Go to the Security section and select URL Block Page.
3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:

1. Go to Log & Report > Web Filter.
2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the

URL filter.

To check webfilter logs in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid=”0315012544″ type=”utm” subtype=”webfilter” eventtype=”urlfilter” level=”warning” vd=”vdom1″ eventtime=1555958923322174610 urlfilteridx=0 urlsource=”Local URLfilter Block” policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf=”wan2″ srcintfrole=”wan” dstip=157.240.18.35 dstport=443 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTPS” hostname=”www.facebook.com” profile=”webfilter” actionn=”blocked” reqtype=”direct” url=”/” sentbyte=1171 rcvdbyte=141 direction=”outgoing” msg=”URL was blocked because it is in the URL filter list” crscore=30 craction=8 crlevel=”high”

FortiGuard filter of webfilter

To use this service, you must have a valid subscription on your FortiGate.

FortiGuard filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories that users can allow or block.

FortiGuard web filtering services includes over 45 million individual website rating that applies to more than two billion pages. When FortiGuard filter is enabled in a webfilter and is applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard webfilter action

You can select one of the following FortiGuard webfilter actions:

FortiGuard webfilter categories

FortiGuard has many webfilter categories including two local categories and a special remote category. For more information on the different categories, see the table below.

The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a local category, it only follows the behavior of local category and not external or FortiGuard built-in category.

Sample configuration of blocking a web category

This example shows blocking a website based on its category (rating), for example, information technology.

To block a category in the GUI:

1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
2. Open the General Interest -Business section by clicking the + icon beside it.
3. Select Information Technology and then select Block.

To block a category in the CLI:

config webfilter profile

edit “webfilter”

config ftgd-wf

unset options

config filters

edit 1

set category 52    <– the pre-set id of “information technology” caterogy

set action block   <– set action to block  next

end

end

next end

To validate that you have blocked a category:

1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page and the category that is blocked.

To view the log of a blocked website in the GUI:

1. Go to Log & Report > Web Filter.

To view the log of a blocked website in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=13:46:25 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1555965984972459609 policyid=1 sessionid=659263 srcip=10.1.200.15 srcport=49234 srcintf=”wan2″ srcintfrole=”wan” dstip=54.183.57.55 dstport=80 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTP” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=386 rcvdbyte=0 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=52 catdesc=”Information Technology”

Sample configuration of issuing a warning

This example shows issuing a warning when a user visits a website based on its category (rating), for example, information technology.

To configure a warning in the GUI:

1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
2. Open the General Interest -Business section by clicking the + icon beside it.
3. Select Information Technology and then select Warning.
4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to continue.

To configure a warning in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 52

set action warning  <– set action to warning

next

end

end

next end

To validate that you have configured the warning:

1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page where you can choose to Proceed or Go Back.

Sample configuration of authenticating a web category

This example shows authenticating a website based on its category (rating), for example, information technology.

To authenticate a category in the GUI:

1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
2. Open the General Interest -Business section by clicking the + icon beside it.
3. Select Information Technology and then select Authenticate.
4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this feature.

To authenticate a category in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters edit 1

set category 52

set action authenticate         <– set the action of authenticate set auth-usr-grp “local_group”  <– user to authenticate

next

end end

next

end

To validate that you have configured authentication:

1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page where you can choose to Proceed or Go Back.
2. Click Proceed to check that the authentication page appears.
3. Enter the username and password of the user group you selected, and click Continue.

If the credentials are correct, the traffic is allowed through.

Sample customization of the replacement page

When the FortiGuard webfilter action is Block, Warning, or Authenticate, there is a Customize option for you to customize the replace page.

To customize the replace page:

1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
2. Right-click the item and select Customize.
3. A pane appears for you to customize the page.

Quota of webfilter

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific bandwidth, and is calculated separately for each user. Quotas are reset everyday at midnight.

Quotas can be set only for the actions of Monitor, Warning, or Authenticate. When the quota is reached, the traffic is blocked and the replacement page displays.

Sample topology

Sample configuration of setting a quota

This example shows setting a time quota for a category, for example, the Education category.

To configure a quota in the GUI:

1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter
2. Open the General Interest -Personal section by selecting the + icon beside it.
3. Select Education and then select Monitor.
4. In the Category Usage Quota section, select Create New.
5. In the right pane, select the Category field and then select Education.
6. For the Quota Type, select Time and set the Total quota to 5 minute(s).
7. Select OK and the Category Usage Quota section displays the quota.
8. Validate the configuration by visiting a website in the education category, for example https://www.harvard.edu/.

You can view websites in the education category.

9. Check the used and remaining quota in Monitor> FortiGuard Quota.
10. When the quota reaches its limit, traffic is blocked and the replacement page displays.

To configure a quota in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf

unset options

config filters

edit 1

set category 30 <– the id of education category  next

end

config quota

edit 1

set category 30

set type time

set duration 5m

next

end end

next

end

Web content filter of webfilter

You can control access to web content by blocking web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards and Perl regular expressions to match content on web pages. You can use multiple web content filter lists and select the best web content filter list for each web filter profile.

Pattern type

When you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: wildcard and regular expression.

Wildcard

Use the wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and forticare.com. The * represents any character appearing any number of times.

Regular expression

Use the regular expression setting to block or exempt patterns of Perl expressions which use some of the same symbols as wildcard expressions but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

The maximum number of web content patterns in a list is 5000.

Content evaluation

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a web page is blocked by a single match.

Banned words or phrases are evaluated according to the following rules:

• The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
• The score for any word in a phrase without quotation marks is counted. l The score for a phrase in quotation marks is counted only if it appears exactly as written.

Sample of applying banned pattern rules

The following table is an example of how rules are applied to the contents of a web page. For example, a web page contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.

Sample configuration

To configure web content filter in the GUI:

1. Go to Security Profiles > Web Filter and go to the Static URL Filter
2. Enable Content Filter to display its options.
3. Select Create New to display the content filter options.
4. For Pattern Type, select RegularExpression and enter fortinet in the Pattern
   • Leave Language as Western. l Set Action to Block.
   • Set Status to Enable.
5. Select OK to see the updated Static URL Filter
6. Validate the configuration by visiting a website with the word fortinet, for example, www.fortinet.com. The website is blocked and a replacement page displays.

To configure web content filter in the CLI:

1. Create a content table:

config webfilter content

edit 1                           <– the id of this content

set name “webfilter”

config entries

edit “fortinet”            <– the banned word set pattern-type regexp  <– the type is regular expression set status enable set lang western

set score 10             <– the score for this word is 10 set action block

next

end

next end

2. Attach the content table to the webfilter profile:

config webfilter profile

edit “webfilter”

config web

set bword-threshold 10  <– the threshold is 10

set bword-table 1       <– the id of content table we created in the previous step

end

config ftgd-wf

unset options

end

next end

Advanced Filters 1

Block malicious URLs discovered by FortiSandbox

To use this feature, you must be registered to a FortiSandbox and be connected to it.

This feature blocks malicious URLs that FortiSandbox finds.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Static URL Filter
2. Enable Block malicious URLs discovered by FortiSandbox.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set blacklist enable end

next

end

Allow websites when a rating error occurs

If you don’t have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard filter, then you’ll get a rating error message.

Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Rating Options
2. Enable Allow websites when a rating erroroccurs.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options error-allow

end

next

end

Rate URLs by domain and IP address

If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always sends both the URL domain name and the TCP/IP packet’s IP address (except for private IP addresses) to FortiGuard for the rating.

FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is hard-coded in FortiGate.

For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated as search engine and portals and not rated as government and legal organizations.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Rating Options
2. Enable Rate URLs by domain and IP address.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf set options rate-server-ip

end

next

end

Block invalid URLs

Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.

For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written as: http://www.example.com/space%20here.html.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Static URL Filter
2. Enable Block invalid URLs .

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set options block-invalid-url

next

end

Rate images by URL

This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.

For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not blocked:

After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Rating Options
2. Enable Rate images by URL.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config ftgd-wf unset options set rate-image-urls enable

end

next

end

Advanced Filters 2

Safe search

This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.

Supported search sites are: l Google l Yahoo l Bing l Yandex

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set safe-search url

end

next

end

YouTube education filters

Use these features to limit users’ access to YouTube channels, such as in an education environment where you want students and users to be able to access YouTube education videos but not other YouTube videos.

Restrict YouTube access

Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.

When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.

Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and Chromebooks..

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Restrict YouTube Access and select Strict or Moderate.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set youtube-restrict strict end

next

end

YouTube channel filtering

This web filtering feature is also called Restrict YouTube access to specific channels. Use this feature to block or only allow matching YouTube channels.

The following identifiers are used: given <channel-id>, affect on: www.youtube.com/channel/<channel-id> www.youtube.com/user/<user-id> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

www.youtube.com/watch?v=<string> matches channel-id from <meta itemprop=”channelId” content=”UCGzuiiLdQZu9wxDNJHO_JnA”>

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Enable Restrict YouTube access to specific channels.
3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.
4. Select OK and the option shows the Channel ID and its Link.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set youtube-channel-status whitelist <– whitlist: only allow the traffic belongs to this channel id and relative identifiers

blacklist: only block the traffic belongs to

this channel id and relative identifiers and allow the other traffic pass  config youtube-channel-filter

edit 1

set channel-id “UCGzuiiLdQZu9wxDNJHO_JnA”  next

end

next end

Log all search keywords

Use this feature to log all search phrases.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Search Engines
2. Enable Log all search keywords.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” config web set log-search enable

end

next

end

Restrict Google account usage to specific domains

Use this feature to block access to some Google accounts and services while allowing access to accounts in the domains in the exception list.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Enable Restrict Google account usage to specific domains.
3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.

When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through. Traffic from other domains is blocked.

HTTP POST Action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading to a web server.

The action options are Allow or Block. The default is Allow.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. For HTTP POST Action, select Allow or Block.

To enable this feature in the CLI:

config webfilter profile edit “webfilter” set post-action [normal/block] config ftgd-wf unset options

end

next end

Remove Java applets, remove ActiveX, and remove cookies

The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function properly if you enable this filter.

The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly with if you enable this filter.

The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you enable this filter.

To enable this feature in the GUI:

1. Go to Security Profiles > Web Filter and go to the Proxy Options
2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

To enable this feature in the CLI:

config webfilter profile  edit “webfilter”

set options activexfilter cookiefilter javafilter <– enable one or more of activexfilter cookiefilter javafilter.

config ftgd-wf

unset options

end

next end

External resources for webfilter

Introduction

External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as web filter’s remote categories, DNS filter’s remote categories, policy address objects or AntiVirus profile’s malware definitions. If the external resource is updated, FortiGate objects will update dynamically.

External Resource are categorized into 4 types:

• URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

For Web Filter profile, it can use category type external resources. Category type external resources file is a URL entries list in a plain text file.

When a category type external resource is configured in Web Filter profile, it will be treated as a Remote Category. If the URL in a HTTP/HTTPS request matches the entry inside this external resource file, it will be treated as the Remote Category and follow the action configured for this category in Web Filter profile.

External resource type category also can be used in ssl-ssh-profile configuration for category-based SSL-Exempt. When a Remote Category is configured in ssl-ssh-profile SSL-Exempt, if a HTTPS request’s URL matches in the Remote Category’s entry list, HTTPS request with destination for this URL can be exempted from SSL Deep Inspection. External Resources File Format

External Resources File should follow the following requirements:

• The external resource file is a plain text format file and each URL list/IP Address/Domain Name occupies a single line. l The file is limited to 10M, line is limited 128K (128 x 1024 entries), and the line length limit is 4K characters. l The entries limited also follow table size limitation defined by CMDB per model. l The external resource update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
• The external resource type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total 30 categories). l There’s no duplicated entry validation for external resources file (entry inside each file or inside different files).

For URL list (Type=category):

Scheme is optional, and will be truncated if found (http://, https:// is not needed).

Wildcard (*) is supported (from 6.2). It supports the ‘*’ at beginning and ending of URL, and not in the middle of URL as follows:

+ support *.domain2.com, domain.com.* + not support: domain3.*.com IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).

IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.

Configure External Resources from CLI

We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global, configure the external resource file location and specify the resource type.

Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:

config system external-resource edit “Ext-Resource-Type-as-Category-1”

set type category <—-

set category 192 <—-

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-

1.txt” set refresh-rate 1

next

end

Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example above, URL list in “Ext-Resource-Type-as-Category-1.txt” file will be treated as remote category (category-id 192). Configure the action for this remote category in Web Filter profile and apply it in the policy:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 2 set action warning

next ……

edit 24 set category 192 <—set action block

next edit 25 set category 221 set action warning

next edit 26 set category 193

next

end

end

set log-all-url enable

next

end

config firewall policy edit 1 set name “WebFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set webfilter-profile “webfilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Configure External Resources from GUI

Configure, edit or view the Entries for external resources from GUI.

1. GUI > Global > Fabric Connectors page:
2. GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type FortiGuard
3. GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.
4. GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just configured. It is shown in the Edit Click View Entries to view the entry list in the external resources file:
5. GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web

Filter Profile:

Log Example

If a HTTP/HTTPS request URL matched in Remote Category’s entry list, it will override its original FGD URL rating and it is treated as Remote Category.

GUI > VDOM > Log & Report > Web Filter:

CLI Example:

1: date=2019-01-18 time=15:49:15 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1547855353 policyid=1 sessionid=88922 srcip=10.1.100.18 srcport=39886 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=752 rcvdbyte=10098 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″

Remote Category in ssl-ssh-profile category-based SSL-Exempt

Remote Category can be applied in ssl-ssh-profile category-based SSL-Exempt.

GUI > VDOM > Security Profiles > SSL/SSH Inspection:

HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.

Log example:

3: date=2019-01-18 time=16:06:21 logid=”0345012688″ type=”utm” subtype=”webfilter” eventtype=”ssl-exempt” level=”information” vd=”vdom1″ eventtime=1547856379 policyid=1 sessionid=90080 srcip=10.1.100.18 srcport=39942 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”passthrough” reqtype=”direct” url=”/” sentbyte=517 rcvdbyte=0 direction=”outgoing” msg=”The SSL session was exempted.” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″ urlsource=”exempt_type_user_cat”

Local Category and Remote Category Priority

Web Filter can have both local category and remote category at the same time. There’s no duplication check between local category URL override and remote category resource file. For example, a URL like www.example.com may be shown both in remote category entry list and in FortiGate’s local category URL override configuration. We recommend avoiding this scenario since FortiGate does not check for duplicates. However, if a URL is duplicated in both local category and remote category, it is rated as local category.

File filter for webfilter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Web filter profile supports the following file types:

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.

To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the CLI example below, we want to file filter the following using Web filter profile:

1. Block PDFs from entering our leaving our network (filter1).
2. Log the download of some graphics file-types via HTTP (filter2).
3. Block EXE files from leaving to our network via FTP (filter3).

set direction any <– Inspect both incoming and outgoing traffic set encryption any    <– Inspect both encrypted and un-encrypted

files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”

set protocol http <– Inspect only HTTP traffic set action log   <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any

set file-type “jpeg” “png” “gif” <– Multiple file types can be configured

in a single entry

next edit “filter3” set comment “Block upload of EXE files”

set protocol ftp  <– Inspect only FTP traffic set action log

set direction outgoing   <– Inspect only outgoing traffic set encryption any set file-type “exe”

next

end

end

end

After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:

config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Log Example

GUI > VDOM > Log & Report > Web Filter:

Reliable webfilter statistics

Introduction

FortiOS 6.2.0 provides command line tools to view the webfilter statistics report. These command line tools currently fall into either proxy-based or flow-based webfilter statistics commands.

Proxy-based webfilter statistics report

l The proxy-based webfilter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.

#diagnose wad filter <—-define the interested objects for output (global) # diag wad ? console-log   Send WAD log messages to the console. debug  Debug setting. stats       Show statistics.

filter    Filter for listing sessions or tunnels. <—-use filter to filter-out interested object and output kxp    SSL KXP diagnostics. user  User diagnostics. memory    WAD memory diagnostics.

restore   Restore configuration defaults. history   Statistics history. session   Session diagnostics. tunnel       Tunnel diagnostics. webcache  Web cache statistics. worker    Worker diagnostics. csvc   Cache service diagnostics.

#diagnose wad stat filter list/clear <—-list/clear WebFiltering/DLP statistics report l In the example below, there are two VDOMs using proxy-based policies which have webfilter profiles enabled. The command line can be used to view the proxy-based webfilter statistics report.

(global) # diag wad filter ? list   Display current filter. clear     Erase current filter settings. src      Source address range to filter by. dst     Destination address range to filter by.

sport     Source port range to filter by. dport   Destination port range to filter by. vd   Virtual Domain Name. <—-filter for per-vdom or global statistics report explicit-policy   Index of explicit-policy. -1 matches all. firewall-policy Index of firewall-policy. -1 matches all. drop-unknown-session   Enable drop message unknown sessions. negate   Negate the specified filter parameter. protocol    Select protocols to filter by.

FGT_600D-ICAP-NAT (global) # diag wad filter vd <vdom>    Virtual Domain Name. ALL   all vdoms root      vdom vdom1 vdom

FGT_600D-ICAP-NAT (global) # diag wad filter vd root <—-filter-out root vdom statistics

Drop_unknown_session is enabled.

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom root <—-Displayed the WF statistics for root vdom

dlp          = 0     <—-Number of Reuqest that DLP Sensor processed;

content-type = 0     <—-Number of Reuqest that matching content-type filter;

overridden = 0 <—-Number of Request that be overrided to another webfilter

profile in the examined requests;

FGT_600D-ICAP-NAT (global) # diag wad filter vd vdom1 <—-filter-out vdom1 statistics

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom vdom1 <—-Displayed the WF statistics for vdom1 dlp   = 0 content-type = 0 urls:

examined = 13 allowed = 2 blocked = 9 logged = 8 overridden = 0 FGT_600D-ICAP-NAT (global) # diag wad filter vd ALL

FGT_600D-ICAP-NAT (global) # diag wad stats filter list

filtering of all accessible vdoms <—-global statistics is sum of two VDOMs dlp     = 0 content-type = 0 urls:

examined = 19 allowed = 5 blocked = 9 logged = 8 overridden = 0

Flow-based webfilter statistics report

• The flow-based webfilter statistics command line tools are as follows. These commands are available in global command lines only.

(global) # diag test app ipsmonitor IPS Engine Test Usage:

• In the example below, there are two VDOMs using flow-based policies which have webfilter profiles enabled. The command line can be used to view the flow-based webfilter statistics report.

(global) # diag test app ipsmonitor 29 Global URLF states: request: 14 <—-Number of Requests that Flow Web-Filter(all ips engines) received; response: 14 <—-Number of Response that Flow Web-Filter(all ips engines) sent; pending: 0       <—-Number of Requests that under processing at that moment; request error: 0       <—-Number of Request that have error; response timeout: 0 <—-Number of response that ips engine not been received in-

time;

blocked: 12    <—-Number of Request that Flow Web-Filter blocked; allowed: 2  <—-Number of Request that Flow Web-Filter allowed;

A high level walk through of the FortiSwitch 448D and it’s feature set.

Color me confused as to why the 200E has a 500 static route limit!

Introduction to DNS Filter

Most people who use the Internet use domain names. For example, people who access the Fortinet website type www.fortinet.com into their web browser. However, on the Internet, all websites, computers, or devices actually use IP addresses to locate the destination.

Internet uses DNS (Domain Name System) to translate domain names into IP addresses. For example, when you type www.fortinet.com into your web browser, DNS maps this domain name to Fortinet’s IP address to locate the Fortinet website on the Internet.

If you cannot see DNS Filter under Security Profiles, go to System > Feature Visibility > Security Features section and enable DNS Filter.

DNS primarily uses the UDP protocol on port 53 to serve the address resolve requests.

The FortiGate DNS Filter inspects the UDP protocol on port 53 traffic that traverse FortiGate, and based on the DNS Filter profile configuration, makes the Allow/Monitor/Block or Redirect decision for the inspected traffic.

FortiGate DNS Filter has the following features:

• FortiGuard Filtering: filtering the DNS request based on the domain’s FortiGuard rating. l Botnet C&C Domain Blocking: block the DNS request for the known Botnet C&C domains.
• External Dynamic Category Domain Filtering: define your own domain category. l DNS Safe Search: Enforce Google, Bing, and YouTube safe addresses for parental controls. l Local Domain Filter: define your own domain list to block or allow.
• External IP Block List: define your IP block list to block resolved IPs that match this list. l DNS Translation: map the resolved result to another IP you define.

Sample topology

The topics in this section use the following sample topology to explain how these DNS Filter features work and how to configure it. In this sample topology, there is an internal network and a FortiGate used as a gateway device, with all DNS traffic traversing the FortiGate.

How to configure and apply DNS filter profile

To create or configure DNS Filter profile in the GUI:

1. Go to Security Profiles > DNS Filter.
2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS filter.

To create or configure DNS Filter profile in the CLI:

config dnsfilter profile edit “demo”

set comment ” config domain-filter

unset domain-filter-table

end config ftgd-dns set options error-allow config filters

edit 2

set category 2 set action monitor

next edit 7

set category 7 set action block

next …

edit 22

set category 0 set action monitor

next end

end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action redirect set block-botnet enable set safe-search enable set redirect-portal 93.184.216.34 set redirect-portal6 ::

set youtube-restrict strict

next

end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:

1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.
2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:

config firewall policy edit 1 set name “Demo” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all set fsso disable set dnsfilter-profile “demo” <<<==== set profile-protocol-options “default” set ssl-ssh-profile “deep-inspection”

set nat enable

next

end

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. Enable FortiGuard Category Based Filter.
3. Select the category and then select Allow, Monitor, or Block for that category.
4. If you select Block, there are two options:

• Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
• Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

…

edit 22 set category 0 set action monitor

next

end

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

To check the DNS filter log in the GUI:

1. Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. Enable Redirect botnet C&C requests to Block Portal.
3. Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

To check the DNS filter log in the GUI:

1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”

The process I use when I update standalone FortiSwitches

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address

(resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:

(global) # diag sys botnet list 9000 10

9000. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
9001. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
9002. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
9003. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
9004. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
9005. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
9006. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
9007. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
9008. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
9009. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it’s blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; cpe-98-25-53-166.sc.res.rr.com.            IN     A

;; ANSWER SECTION:

cpe-98-25-53-166.sc.res.rr.com. 60 IN A  208.91.112.55 <<<==== Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B

;; Time 2019-04-05 11:06:47 PDT ;; From 172.16.95.16@53(UDP) in 0.6 ms

To check the DNS filter log in the GUI:

1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS filter log in the CLI:

1: date=2019-04-05 time=11:06:48 logid=”1501054600″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msgg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN”

To check botnet activity:

1. Go to Dashboard > Status and see the Botnet Activity widget.

If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.

External Resources for DNS filter

Introduction

External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP

Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter’s remote categories, DNS filter’s remote categories, policy address objects, or antivirus profile’s malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

l URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

• The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
• The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
• The entry limit also follows the table size limitation defined by CMDB per model.
• The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
• The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

• There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

• Simple wildcard is allowed in domain name list, from example: *.test.com. l IDN (International Domain Name) is supported.

For IP Address list (Type=address):

• IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254. l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources from CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file “Ext-Resource-Type-as-Domain-1.txt” as type domain and it will be treated in DNS Filter as Remote Category name as “Ext-Resource-Type-as-Domain-1” and category-id 194. Configure another external resource file “Ext-Resource-Type-as-Address-1.txt” as type address, and this address object name is “ExtResource-Type-as-Address-1”:

config system external-resource edit “Ext-Resource-Type-as-Domain-1” set type domain <<<==== set category 194 <<<====

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt” set refresh-rate 1

next

edit “Ext-Resource-Type-as-Address-1″ set status enable set type address <<<==== set username ” set password set comments ”

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-

1.txt” set refresh-rate 1

next

end

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in “Ext-Resource-Type-as-Domain-1.txt” file is treated as remote category (category-id 194). IP address list in “Ext-Resource-Type-as-Address-1.txt” file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable “external-ip-block-list” in a DNS Filter profile and apply it in the policy:

config dnsfilter profile edit “default” set comment “Default dns filtering.” config ftgd-dns config filters edit 1 set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block

next edit 2 set category 12

next edit 3 next

end

end

set block-botnet enable

set external-ip-blocklist “Ext-Resource-Type-as-Address-1” <<<==== IP address in “ExtResource-Type-as-Address-1” file. next

end

config firewall policy edit 1 set name “DNSFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set dnsfilter-profile “default” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

Configure External Resources from GUI

To configure, edit, or view the entries for external resources from GUI:

1. Go to Global > Security Fabric > Fabric Connectors.
2. Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
3. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.
4. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.
5. Go to VDOM > DNS Filter and open a DNS filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote

Category, overriding their original domain rating.

CLI Example:

1: date=2019-01-18 time=13:49:12 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=196 catdesc=”Ext-Resource-Type-as-Domain-3″

2: date=2019-01-18 time=13:49:12 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:

1: date=2019-01-18 time=13:50:53 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=0 domainfilterlist=”Ext-ResourceType-as-Address-1″

2: date=2019-01-18 time=13:50:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine’s children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:

1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. Enable Enforce ‘Safe search’ on Google, Bing, YouTube.
3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:

config dnsfilter profile edit “demo” config ftgd-dns set options error-allow config filters edit 2 set category 2

next

…

end

end set log-all-domain enable set block-botnet enable

set safe-search enable <<<==== DNS Filter Safe Search option

next

end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example:

# dig www.bing.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; Received 67 B

;; Time 2019-04-05 14:34:52 PDT

;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user’s web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:

1: date=2019-04-05 time=14:34:53 logid=”1501054804″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554500093 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”204.79.197.220″ msg=”DNS Safe Search enforced” action=”pass” sscname=”strict.bing.com” cat=41 catdesc=”Search Engines and Portals”

2: date=2019-04-05 time=14:34:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554500092 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN”

Additional information

For each search engine’s safe search specifications, see its specification page:

• https://help.bing.microsoft.com/#apex/18/en-US/10003/0
• https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DDesktop&hl=en l https://support.google.com/youtube/answer/174084?co=GENIE.Platform%3DDesktop&hl=en