Enabling FortiGuard Web Filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

General configuration steps

1. Go to Security Profiles > Web Filter > Profile.
2. Select the Edit icon of the web filter profile in which you want to enable FortiGuard Web Filter, or select Create New to add a new web filter profile.
3. Select an Inspection Mode.
4. If you are using FortiGuard Categories, enable the feature, select the categories and select the action to be performed.
5. The categories allow you to block or allow access to general or more specific web site categories. Configure access as required.
6. Save the filter and web filter profile.
7. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

To configure FortiGuard Web Filter settings

1. Go to Security Profiles > Web Filter > Profile.
2. Select the web filter profile in which you want to enable FortiGuard Web Filter from the drop down list in the Edit Web Filter Profile window title bar, or select Create New to add a new web filter profile.
3. The category groups are listed in a table. You can expand each category group to view and configure every category within the groups. If you change the setting of a category group, all categories within the group inherit the change.
4. Select the category groups and categories to which you want to apply an action.

 

5. Select an action from the Change Action for Selected Categories drop-down list immediately below the category table. Five actions are available:

• Allow permits access to the sites within the category.
• Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
• Warning presents the user with a message, allowing them to continue if they choose.
• Authenticate requires a user authenticate with the FortiGate unit before being allowed access to the category or category group.
• Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.

6. Select OK.

In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to categorize the site. Starting in version 5 of the firmware the parsed URL has been increase to 4Kilobytes, effectively doubling the length of a URL capable of being categorized.

To configure the FortiGuard Web Filter categories

1. Go to Security Profiles > Web Filter > Profiles.
2. Select the web filter profile in which you want to enable FortiGuard Web Filter from the drop down list in the Edit Web Filter Profile window title bar, or select Create New to add a new web filter profile.
3. Select Create New.
4. Select a Filter Type of Category.
5. Select the required category groups. You may also expand the category groups to select individual categories.
6. Select the Monitor
7. Enable Enforce Quota to activate the quota for the selected categories and category groups.
8. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.
9. Select OK.

10.Select Apply.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully categorize it.

The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.

Configuring FortiGuard Web Filter usage quotas

In addition to using category and classification blocks and overrides to limit user access to

URLs, you can set a daily timed access quota by category, category group, or classification.

Quotas allow access for a specified length of time, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

1. Select the Monitor
2. Enable Enforce Quota to activate the quota for the selected categories and category groups.
3. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.
4. Select OK.
5. Select Apply.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

1. Category
2. Category group

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!