Web filter – Fortinet FortiGate


SafeSearch is a feature of popular search sites that prevents explicit web sites and images from appearing in search results. Although SafeSearch is a useful tool, especially in educational environments, the resourceful user may be able to simply turn it off. Enabling SafeSearch for the supported search sites enforces its use by rewriting the search URL to include the code to indicate the use of the SafeSearch feature. For example, on a Google search it would mean adding the string “&safe=active” to the URL in the search.

The search sites supported are:

  • Google
  • Yahoo
  • Bing
  • Yandex

Enabling SafeSearch — CLI config webfilter profile edit default config web set safe-search url



This enforces the use of SafeSearch in traffic controlled by the firewall policies using the web filter you configure.

YouTube Education Filter

YouTube for Schools is a way to access educational videos from inside a school network. This

YouTube feature gives schools the ability to access a broad set of educational videos on YouTube EDU and to select the specific videos that are accessible from within the school network.

Before this feature can be used an account has to be set up for the school with YouTube. Once the account is set up a unique ID will be provided. This ID becomes part of the filter that is used to all access to the educational content of YouTube for use in schools even if YouTube is blocked by the policy.

More details can be found by going to http://www.youtube.com/schools.

Enabling YouTube Education Filter in CLI

config webfilter profile edit default config web set safe-search url header set youtube-edu-filter-id ABCD1234567890abcdef end end

Deep Scanning Restrictions

This section doesn’t have a label such as “Deep Scanning Restrictions” but there are 2 settings in the profile that relate to the topic. In the profile, they appear as:

  • Enable HTTPS URL Scan Only
  • Categories Exempt from Deep Scanning

Enable HTTPS URL Scan Only

When Deep Scanning is turned on traffic that is encrypted using SSL is scanned for issues just as unencrypted traffic is. However, scanning encrypted traffic puts a larger load on the resources of the FortiGate unit.

Even if the scanning of the contents of the traffic is not a requirement many administrator prefer to scan the URLs being sent over HTTPS so that users cannot bypass the blocking of access to a site by putting “https://” as a prefix to a URL. The setting restricts the deep scanning of the traffic to the URL destination which is in the header. This way the resources tied up in decrypting the traffic a are minimized, yet the administrator can still enforce policy regarding access to prohibited websites

Categories Exempt from Deep Scanning

For the purposes of personal privacy, there are 3 categories that can be exempted from deep scanning by the FortiGate unit. They are Banking, Health Care and Personal Privacy.

When HTTPS URL Scan Only is enabled you will notice that the option to exclude these categories from deep scanning is removed. This is because if only the URL is being scanned then the contents of the traffic is not being scanned anyway so there is no need to exclude it.

Web Site Filter

You can allow or block access to specific URLs by adding them to the Web Site Filter list. You add the URLs by using patterns containing text and regular expressions. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.

When adding a URL to the URL filter list, follow these rules:

  • Type a top-level URL or IP address to control access to all pages on a web site. For example, example.com or controls access to all pages at this web site.
  • Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For example, example.com/news.html or controls access to the news page on this web site.

  • To control access to all pages with a URL that ends with example.com, add com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
  • Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For example, * matches example.com, example.org, example.net and so on.

URLs with an action set to exempt or monitor are not scanned for viruses. If users on the network download files through the FortiGate unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it so the FortiGate unit does not virus scan files downloaded from this URL.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU