Configuring Web Filter Profiles
Enabling FortiGuard Web Filter
FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.
There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.
config system fortiguard set webfilter-force-off
The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.
General configuration steps
1. Go to Security Profiles > Web Filter.
2. Determine if you wish to create a new profile or edit an existing one.
3. Select an Inspection Mode.
4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.
5. Configure any Quotas needed. (Proxy Mode)
6. Allow blocked override if required.(Proxy Mode)
7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)
8. Configure Static URL Settings. (All Modes)
9. Configure Rating Options. (All Modes)
10. Configure Proxy Options.
11. Save the filter and web filter profile.
12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.
Configuring FortiGuard Web Filter settings
FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.
Getting to the Edit Web Filter Profile configuration window
Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional, so to avoid redundancy we will treat each of these sections of options separately, but without dupicating the common instructions of how to get to the profile editing page. Those instructions are here.
1. Go to Security Profiles > Web Filter.
2. Determine if you wish to create a new profile or edit an existing one.
a. New profile:
i. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) or…
ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the Create
New icon in the upper left.
b. Edit existing profile:
i. Select the name of the profile that you wish to edit from the dropdown menu.
ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the name of the profile from the list.
3. Make sure there is a valid name, and comment if you want.
4. Configure the settings to best achieve your specific requirements
5. Select Apply or OK, depending on whether you are editing or creating a new profile..
In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to cat- egorize the site. Starting in version 5 of the firmware the parsed URL has been increase to 4Kilobytes, effectively doubling the length of a URL capable of being categorized.
To configure the FortiGuard Web Filter categories
1. Go to the Edit Web Filter Profile window.
2. The category groups are listed in a widget. You can expand each category group to view and configure every sub- category individually within the groups. If you change the setting of a category group, all categories within the group inherit the change.
3. Select the category groups and categories to which you want to apply an action.
To assign an action to a category left click on the category and select from the pop up menu.
4. Enable Enforce Quota to activate the quota for the selected categories and category groups.
5. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.
6. Select Apply or OK.
Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.
If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully cat- egorize it.
The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.
Configuring FortiGuard Category Quotas
1. Go to the Edit Web Filter Profile window
2. Verify that the categories that need to have quotas on them are set to one of the actions:
- Monitor
- Warning
- Authenticate
3. Select the blue triange expand symbol to show the widget for Quotas
4. Select Create New or Edit.
5. In the New/Edit Quota window that pops up enable or disable the specific categories that the quota will apply to.
6. At the bottom of the widget, select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.
7. Select Apply or OK.
8. Continue with any other configuration in the profile
9. Select Apply or OK.
Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.
Configure Allowed Blocked Overrides
1. Go to the Edit Web Filter Profile window.
2. Enable Allow Blocked Override
3. In the Apply to Group(s) field select the desired User Group
4. In the Assign to Profile field, select the desired profile
Configure Search Engine Section
There are 2 primary configuration settings in this section.
Enable Safe Search
To enable the Safe Search settings
1. Go to the Edit Web Filter Profile window.
2. Enable Safe Search
3. Enable Search Engine Safe Search
4. Enable YouTube Filter
a. Enter the YouTube User ID in the Text field
Log All Search Keywords
In the GUI, the configuration setting is limited to a checkbox.
Configure Static URL Filter
Web Content Filter
To enable the web content filter and set the content block threshold
1. Go to the Edit Web Filter Profile window.
2. In the Static URL Filter section enable Web Content Filter.
3. Select Create New.
4. Select the Pattern Type.
5. Enter the content Pattern.
6. Enter the Language from the dropdown menu.
7. Select Block or Exempt, as required, from the Action list.
8. Select Enable.
9. Select OK.
Configure Rating Options
Allow Websites When a Rating error Occurs
In the GUI, the configuration setting is limited to a checkbox.
Rate URLs by Domain and IP Address
In the GUI, the configuration setting is limited to a checkbox.
Block HTTP Redirects by Rating
In the GUI, the configuration setting is limited to a checkbox.
Rate Images by URL (Blocked images will be replaced with blanks)
In the GUI, the configuration setting is limited to a checkbox.
Configure Proxy Options
Restrict Google Account Usage to Specific Domains
Configuring the feature in the GIU
Go to Security Profiles > Web Filter.
In the Proxy Options section, check the box next to Restrict to Corporate Google Accounts Only. Use the Create New link within the widget to add the appropriate Google domains that will be allowed.
Configuring the feature in the CLI
To configure this option in the CLI, the URL filter must refer to a web-proxy profile that is using the Modifying HTTP Request Headers feature. The command is only visible when the action for the entry in the URL filter is set to either allow or monitor.
1. Configure the proxy options:
config web-proxy profile edit “googleproxy”
config headers edit 1
set name “X-GoogApps-Allowed-Domains” set content “fortinet.com, Ladan.ca” end
end end
end
2. Set a web filter profile to use the proxy options
config webfilter urlfilter edit 1
config entries
edit “*.google.com” set type wildcard
set action {allow | monitor}
set web-proxy-profile <profile>
end end
end end
In the CLI, you can also add, modify, and remove header fields in HTTP request when scanning web traffic in proxy-mode. If a header field exists when your FortiGate receives the request, its content will be modified based on the configurations in the URL filter.
Web Resume Download block
In the GUI, the configuration setting is limited to a checkbox.
Provide Details for Blocked HTTP 4xx and 5xx Errors In the GUI, the configuration setting is limited to a checkbox. HTTP POST Action
Remove Java Applet Filter
In the GUI, the configuration setting is limited to a checkbox.
Remove ActiveX Filter
In the GUI, the configuration setting is limited to a checkbox.
Remove Cookie Filter
In the GUI, the configuration setting is limited to a checkbox.
Web filtering example
Web filtering is particularly important for protecting school-aged children. There are legal issues associated with improper web filtering as well as a moral responsibility not to allow children to view inappropriate material. The key is to design a web filtering system in such a way that students and staff do not fall under the same web filter profile in the FortiGate configuration. This is important because the staff may need to access websites that are off-limits to the students.
School district
The background for this scenario is a school district with more than 2300 students and 500 faculty and staff in a preschool, three elementary schools, a middle school, a high school, and a continuing education center. Each elementary school has a computer lab and the high school has three computer labs with connections to the Internet. Such easy access to the Internet ensures that every student touches a computer every day.
With such a diverse group of Internet users, it was not possible for the school district to set different Internet access levels. This meant that faculty and staff were unable to view websites that the school district had blocked. Another issue was the students’ use of proxy sites to circumvent the previous web filtering system. A proxy server acts as a go-between for users seeking to view web pages from another server. If the proxy server has not been blocked by the school district, the students can access the blocked website.
When determining what websites are appropriate for each school, the district examined a number of factors, such as community standards and different needs of each school based on the age of the students.
The district decided to configure the FortiGate web filtering options to block content of an inappropriate nature and to allow each individual school to modify the options to suit the age of the students. This way, each individual school was able to add or remove blocked sites almost immediately and have greater control over their students’ Internet usage.
In this simplified example of the scenario, the district wants to block any websites with the word example on them, as well as the website www.example.com. The first task is to create web content filter lists for the students and the teachers.
Create a Webfilter for the students
1. Go to Security Profiles > Web Filter.
2. Select the Create New icon.
3. Enter the name “Students” in the name field.
4. For the Inspection mode, select Proxy.
5. Enable FortiGuard Categories.
a. Set to block the following categories:
- Potentially Liable
- Adult/Mature Content
- Security Risk
URL Content
6. Check Enable Safe Search
a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex
b. Check YouTube Education Filter and enter the YouTube User ID
7. In the Static URL Filter section, check Enable URL Filter.
a. In the URL Filter widget, Select Create New.
i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK
Web Content Filter
8. In the Static URL Filter section, check Enable Web Content Filter.
a. In the Web Content Filter widget, select Create New.
b. Enter the name “Teachers” in the name field.
i. For the Pattern Type field, select
ii. In the Pattern field, enter “example”
iii. For the Language field, choose Western
iv. For the Action field, select “Block” v. For the Status field, check Enable. vi. Select OK
9. Check Rate URLs by Domain and IP Address
10. Check Block HTTP Redirects by Rating
11. Check Rate Images by URL (Blocked images will be replaced with blanks)
12. Select OK
Create a Webfilter for the Teachers
It might be more efficient if the Teacher Web Content List included the same blocked content as the student list. From time to time a teacher might have to view a blocked page. It would then be a matter of changing the Action from Block to Allow as the situation required. The following filter is how it could be set up for the teachers to allow them to see the “example” content if needed while keeping the blocking inappropriate material condition.
1. Go to Security Profiles > Web Filter.
2. Select the Create New icon.
3. Enter the name “Teachers” in the name field.
4. For the Inspection mode, select Proxy.
5. Enable FortiGuard Categories.
a. Set to block the following categories:
- Potentially Liable
- Adult/Mature Content
- Security Risk
URL Content
6. Check Enable Safe Search
a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex
b. Check YouTube Education Filter and enter the YouTube User ID
7. In the Static URL Filter section, check Enable URL Filter.
a. In the URL Filter widget, Select Create New.
i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK
Web Content Filter
8. In the Static URL Filter section, check Enable Web Content Filter.
a. In the Web Content Filter widget, select Create New.
b. Enter the name “Teachers” in the name field.
i. For the Pattern Type field, select
ii. In the Pattern field, enter “example”
iii. For the Language field, choose Western
iv. For the Action field, select “Exempt”
v. For the Status field, check Enable.
vi. Select OK
9. Check Rate URLs by Domain and IP Address
10. Check Block HTTP Redirects by Rating
11. Check Rate Images by URL (Blocked images will be replaced with blanks)
12. Select OK
To create a security policy for the students
1. Go to Policy & Objects > IPv4 Policy.
2. Select the policy being used to manage student traffic.
3. Enable Web Filter.
4. Select Students from the web filter drop-down list.
5. Select OK.
To create a security policy for Teachers
1. Go to Policy & Objects > IPv4 Policy.
2. Select the policy being used to manage teacher traffic.
3. Enable Web Filter.
4. Select Teachers from the web filter drop-down list.
5. Select OK.
6. Make sure that the student policy is in the sequence before the teachers’ policy.