Advanced web filter configurations
Allow websites when a rating error occurs
Enable to allow access to web pages that return a rating error from the FortiGuard Web Filter service.
If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines what access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.
Block HTTP redirects by rating
Enable to block HTTP redirects.
Many web sites use HTTP redirects legitimately but in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect.
This option is not supported for HTTPS.
Block Invalid URLs
Select to block web sites when their SSL certificate CN field does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:
- If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
- If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.
Enabling the Web Filter profile to block a particular category and enabling the Applic- ation Control profile will not result in blocking the URL. This occurs because Proxy and Flow based profiles cannot operate together.
To ensure replacement messages show up for blocked URLs, switch the Web Filter to Flow based inspection.
Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.
Provide Details for Blocked HTTP 4xx and 5xx Errors
Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.
HTTP POST action
Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
The available actions include:
Use client comforting to slowly send data to the web server as the FortiGate unit scans the file. Use this option to prevent a server time-out when scanning or other filtering is enabled for outgoing traffic.
The client comforting settings used are those defined in the Proxy Options profile selected in the security policy.
Block the HTTP POST command. This will limit users from sending information and files to web sites.
When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.
Java applet filter
Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.
Rate Images by URL
Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.
Rate URLs by Domain and IP Address
Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.
If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed.
An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.
Web resume download block
Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.
This prevents the unintentional download of viruses hidden in fragmented files.
Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.
Restrict Google account usage to specific domains
This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.
Block non-English character URLs
The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.
Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ท น -ไ ม ม เ ศ ษ ร ฐป ร ะ ห า ร ใ ห ใ ค ร แ ด ก /338419686287505?ref=stream).
On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0
%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream). Once added, further browsing to the URL will result in a blocked page.
config webfilter urlfilter edit 1
set name “block_international_character_urls” config entries
3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream” set action block
config webfilter urlfilter edit 2
set name “block_international_character_urls” next
config webfilter profile
edit “block_international_character_urls” next
config firewall policy edit 3
set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8 set srcintf “port1”
set dstintf “port2” set srcaddr “all” set dstaddr “all” set action accept
set schedule “always” set service “ALL”
set utm-status enable set logtraffic all
set webfilter-profile “block_international_character_urls” set profile-protocol-options “default”
set ssl-ssh-profile “certificate-inspection” set nat enable
WebSense web filtering through WISP
WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to WebSense systems for rating and approval checking.
This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.
In order to use WebSense’s web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.
When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.
config web-proxy wisp set status enable
set server-ip 126.96.36.199 set max-connection 128
config webfilter profile edit “wisp_only”
set wisp enable next
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!