Category Archives: FortiGate

Botnet C&C domain blocking

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
Enable Redirect botnet C&C requests to Block Portal.
Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; canind.co. IN ;; ANSWER SECTION:	A
canind.co. 60 IN blocked, redirect with portal-IP. ;; Received 43 B ;; Time 2019-04-05 09:55:21 PDT	A	208.91.112.55 <<<==== botnet domain query
;; From 172.16.95.16@53(UDP) in 0.3 ms		208.91.112.55 <<<==== botnet domain query

To check the DNS filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGuard category-based DNS domain filtering

Leave a reply

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
Enable FortiGuard Category Based Filter.
Select the category and then select Allow, Monitor, or Block for that category.
If you select Block, there are two options:

Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

…

edit 22 set category 0 set action monitor

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

;; QUESTION SECTION:
;; www.example.com. ;; ANSWER SECTION:		IN	A
www.example.com. ;; AUTHORITY SECTION:	17164	IN	A	93.184.216.34
com.	20027	IN	NS	h.gtld-servers.net.
com.	20027	IN	NS	i.gtld-servers.net.
com.	20027	IN	NS	f.gtld-servers.net.
com.	20027	IN	NS	d.gtld-servers.net.
com.	20027	IN	NS	j.gtld-servers.net.
com.	20027	IN	NS	l.gtld-servers.net.
com.	20027	IN	NS	e.gtld-servers.net.
com.	20027	IN	NS	a.gtld-servers.net.
com.	20027	IN	NS	k.gtld-servers.net.
com.	20027	IN	NS	g.gtld-servers.net.
com.	20027	IN	NS	m.gtld-servers.net.
com.	20027	IN	NS	c.gtld-servers.net.
com. ;; ADDITIONAL SECTION:	20027	IN	NS	b.gtld-servers.net.
a.gtld-servers.net.	21999	IN	A	192.5.6.30
a.gtld-servers.net.	21999	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	21997	IN	A	192.33.14.30
b.gtld-servers.net.	21997	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	21987	IN	A	192.26.92.30
c.gtld-servers.net.	20929	IN	AAAA	2001:503:83eb::30
d.gtld-servers.net.	3340	IN	A	192.31.80.30
d.gtld-servers.net.	3340	IN	AAAA	2001:500:856e::30
e.gtld-servers.net.	19334	IN	A	192.12.94.30
e.gtld-servers.net.	19334	IN	AAAA	2001:502:1ca1::30
f.gtld-servers.net. ;; Received 509 B	3340	IN	A	192.35.51.30
;; Time 2019-04-05 09:39:33 PDT			A
;; From 172.16.95.16@53(UDP) in 3.8 ms

To check the DNS filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

How to configure and apply DNS filter profile

Leave a reply

How to configure and apply DNS filter profile

To create or configure DNS Filter profile in the GUI:

Go to Security Profiles > DNS Filter.
You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS filter.

To create or configure DNS Filter profile in the CLI:

config dnsfilter profile edit “demo”

set comment ” config domain-filter

unset domain-filter-table

end config ftgd-dns set options error-allow config filters

edit 2

set category 2 set action monitor

next edit 7

set category 7 set action block

next …

edit 22

set category 0 set action monitor

next end

end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action redirect set block-botnet enable set safe-search enable set redirect-portal 93.184.216.34 set redirect-portal6 ::

set youtube-restrict strict

end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:

Go to Policy & Objects IPv4 Policy or IPv6 Policy.
In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:

config firewall policy edit 1 set name “Demo” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all set fsso disable set dnsfilter-profile “demo” <<<==== set profile-protocol-options “default” set ssl-ssh-profile “deep-inspection”

set nat enable

end

Introduction to DNS Filter

1 Reply

Introduction to DNS Filter

Most people who use the Internet use domain names. For example, people who access the Fortinet website type www.fortinet.com into their web browser. However, on the Internet, all websites, computers, or devices actually use IP addresses to locate the destination.

Internet uses DNS (Domain Name System) to translate domain names into IP addresses. For example, when you type www.fortinet.com into your web browser, DNS maps this domain name to Fortinet’s IP address to locate the Fortinet website on the Internet.

If you cannot see DNS Filter under Security Profiles, go to System > Feature Visibility > Security Features section and enable DNS Filter.

DNS primarily uses the UDP protocol on port 53 to serve the address resolve requests.

The FortiGate DNS Filter inspects the UDP protocol on port 53 traffic that traverse FortiGate, and based on the DNS Filter profile configuration, makes the Allow/Monitor/Block or Redirect decision for the inspected traffic.

FortiGate DNS Filter has the following features:

FortiGuard Filtering: filtering the DNS request based on the domain’s FortiGuard rating. l Botnet C&C Domain Blocking: block the DNS request for the known Botnet C&C domains.
External Dynamic Category Domain Filtering: define your own domain category. l DNS Safe Search: Enforce Google, Bing, and YouTube safe addresses for parental controls. l Local Domain Filter: define your own domain list to block or allow.
External IP Block List: define your IP block list to block resolved IPs that match this list. l DNS Translation: map the resolved result to another IP you define.

Sample topology

The topics in this section use the following sample topology to explain how these DNS Filter features work and how to configure it. In this sample topology, there is an internal network and a FortiGate used as a gateway device, with all DNS traffic traversing the FortiGate.

WTF Fortinet? Static Route Limit Complaints

2 Replies

Color me confused as to why the 200E has a 500 static route limit!

Reliable webfilter statistics

Leave a reply

Reliable webfilter statistics

Introduction

FortiOS 6.2.0 provides command line tools to view the webfilter statistics report. These command line tools currently fall into either proxy-based or flow-based webfilter statistics commands.

Proxy-based webfilter statistics report

l The proxy-based webfilter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.

#diagnose wad filter <—-define the interested objects for output (global) # diag wad ? console-log Send WAD log messages to the console. debug Debug setting. stats Show statistics.

filter Filter for listing sessions or tunnels. <—-use filter to filter-out interested object and output kxp SSL KXP diagnostics. user User diagnostics. memory WAD memory diagnostics.

restore Restore configuration defaults. history Statistics history. session Session diagnostics. tunnel Tunnel diagnostics. webcache Web cache statistics. worker Worker diagnostics. csvc Cache service diagnostics.

#diagnose wad stat filter list/clear <—-list/clear WebFiltering/DLP statistics report l In the example below, there are two VDOMs using proxy-based policies which have webfilter profiles enabled. The command line can be used to view the proxy-based webfilter statistics report.

(global) # diag wad filter ? list Display current filter. clear Erase current filter settings. src Source address range to filter by. dst Destination address range to filter by.

sport Source port range to filter by. dport Destination port range to filter by. vd Virtual Domain Name. <—-filter for per-vdom or global statistics report explicit-policy Index of explicit-policy. -1 matches all. firewall-policy Index of firewall-policy. -1 matches all. drop-unknown-session Enable drop message unknown sessions. negate Negate the specified filter parameter. protocol Select protocols to filter by.

FGT_600D-ICAP-NAT (global) # diag wad filter vd <vdom> Virtual Domain Name. ALL all vdoms root vdom vdom1 vdom

FGT_600D-ICAP-NAT (global) # diag wad filter vd root <—-filter-out root vdom statistics

Drop_unknown_session is enabled.

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom root <—-Displayed the WF statistics for root vdom

dlp = 0 <—-Number of Reuqest that DLP Sensor processed;

content-type = 0 <—-Number of Reuqest that matching content-type filter;

urls:
examined = 6 examined;	<—-Number of Request that Proxy Web-Filter(all wad daemons)
allowed = 3	<—-Number of Request that be allowed in the examined requests;
blocked = 0	<—-Number of Request that be blocked in the examined requests;
logged = 0	<—-Number of Request that be logged in the examined requests;

overridden = 0 <—-Number of Request that be overrided to another webfilter

profile in the examined requests;

FGT_600D-ICAP-NAT (global) # diag wad filter vd vdom1 <—-filter-out vdom1 statistics

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom vdom1 <—-Displayed the WF statistics for vdom1 dlp = 0 content-type = 0 urls:

examined = 13 allowed = 2 blocked = 9 logged = 8 overridden = 0 FGT_600D-ICAP-NAT (global) # diag wad filter vd ALL

FGT_600D-ICAP-NAT (global) # diag wad stats filter list

filtering of all accessible vdoms <—-global statistics is sum of two VDOMs dlp = 0 content-type = 0 urls:

examined = 19 allowed = 5 blocked = 9 logged = 8 overridden = 0

Flow-based webfilter statistics report

The flow-based webfilter statistics command line tools are as follows. These commands are available in global command lines only.

(global) # diag test app ipsmonitor IPS Engine Test Usage:

1: Display IPS engine information

2: Toggle IPS engine enable/disable status

3: Display restart log

4: Clear restart log

5: Toggle bypass status

6: Submit attack characteristics now

10: IPS queue length

11: Clear IPS queue length

12: IPS L7 socket statistics

13: IPS session list

14: IPS NTurbo statistics

15: IPSA statistics

18: Display session info cache

19: Clear session info cache

21: Reload FSA malicious URL database

22: Reload whitelist URL database

24: Display Flow AV statistics

25: Reset Flow AV statistics

27: Display Flow urlfilter statistics

28: Reset Flow urlfilter statistics

29: Display global Flow urlfilter statistics Statistics

<—-List the Flow Web Filtering

30: Reset global Flow urlfilter statistics

Statistics

96: Toggle IPS engines watchdog timer

97: Start all IPS engines

98: Stop all IPS engines

99: Restart all IPS engines and monitor

<—-Reset the Flow Web Filtering

In the example below, there are two VDOMs using flow-based policies which have webfilter profiles enabled. The command line can be used to view the flow-based webfilter statistics report.

(global) # diag test app ipsmonitor 29 Global URLF states: request: 14 <—-Number of Requests that Flow Web-Filter(all ips engines) received; response: 14 <—-Number of Response that Flow Web-Filter(all ips engines) sent; pending: 0 <—-Number of Requests that under processing at that moment; request error: 0 <—-Number of Request that have error; response timeout: 0 <—-Number of response that ips engine not been received in-

time;

blocked: 12 <—-Number of Request that Flow Web-Filter blocked; allowed: 2 <—-Number of Request that Flow Web-Filter allowed;

File filter for webfilter

Leave a reply

File filter for webfilter

Introduction

File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak Prevention) Sensor.

In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file’s meta data) only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers, credit card numbers or regexp.

FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on proxy mode policies.

File Types Supported

File Filter in Web filter profile supports the following file types:

File Type Name	Description
all	Match any file
7z	Match 7-zip files
arj	Match arj compressed files
cab	Match Windows cab files
lzh	Match lzh compressed files
rar	Match rar archives
tar	Match tar files
zip	Match zip files
bzip	Match bzip files
gzip	Match gzip files
bzip2	Match bzip2 files
xz	Match xz files
bat	Match Windows batch files
msc	Match msc files
uue	Match uue files
mime	Match mime files
base64	Match base64 files
binhex	Match binhex files

File Type Name	Description
bin	Match bin files
elf	Match elf files
exe	Match Windows executable files
hta	Match hta files
html	Match html files
jad	Match jad files
class	Match class files
cod	Match cod files
javascript	Match javascript files
msoffice	Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex	Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg	Match fsg files
upx	Match upx files
petite	Match petite files
aspack	Match aspack files
prc	Match prc files
sis	Match sis files
hlp	Match Windows help files
activemime	Match activemime files
jpeg	Match jpeg files
gif	Match gif files
tiff	Match tiff files
png	Match png files
bmp	Match bmp files
ignored	Match ignored files
unknown	Match unknown files
mpeg	Match mpeg files
mov	Match mov files
mp3	Match mp3 files
wma	Match wma files
File Type Name	Description
wav	Match wav files
pdf	Match pdf files
avi	Match avi files
rm	Match rm files
torrent	Match torrent files
msi	Match Windows Installer msi bzip files
mach-o	Match Mach object files
dmg	Match Apple disk image files
.net	Match .NET files
xar	Match xar archive files
chm	Match Windows compiled HTML help files
iso	Match ISO archive files
crx	Match Chrome extension files

Configure File Filter from CLI

Using CLI, configuration for File Filtering is nested inside Web filter profile’s configuration.

In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.

To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will take precedence over log.

In the CLI example below, we want to file filter the following using Web filter profile:

Block PDFs from entering our leaving our network (filter1).
Log the download of some graphics file-types via HTTP (filter2).
Block EXE files from leaving to our network via FTP (filter3).

config webfilter profile edit “webfilter-file-filter” config file-filter
set status enable filtering	<– Allow user to disable/enable file
set log enable file filtering	<– Allow user to disable/enable logging for
set scan-archive-contents enable such as ZIP, RAR etc. config entries edit “filter1”	<– Allow scanning of files inside archives
set comment “Block PDF files” set protocol http ftp <– Inspect HTTP and FTP traffic set action block <– Block file once file type is matched

set direction any <– Inspect both incoming and outgoing traffic set encryption any <– Inspect both encrypted and un-encrypted

files set file-type “pdf” <– Choosing the file type to match next edit “filter2” set comment “Log graphics files”

set protocol http <– Inspect only HTTP traffic set action log <– Log file once file type is matched set direction incoming <– Only inspect incoming traffic set encryption any

set file-type “jpeg” “png” “gif” <– Multiple file types can be configured

in a single entry

next edit “filter3” set comment “Block upload of EXE files”

set protocol ftp <– Inspect only FTP traffic set action log

set direction outgoing <– Inspect only outgoing traffic set encryption any set file-type “exe”

end

After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:

config firewall policy edit 1 set name “client-to-internet” set srcintf “dmz” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter profile “webfilter-filefilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Log Example

GUI > VDOM > Log & Report > Web Filter:

External resources for webfilter

Leave a reply

External resources for webfilter

Introduction

External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as web filter’s remote categories, DNS filter’s remote categories, policy address objects or AntiVirus profile’s malware definitions. If the external resource is updated, FortiGate objects will update dynamically.

External Resource are categorized into 4 types:

URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

For Web Filter profile, it can use category type external resources. Category type external resources file is a URL entries list in a plain text file.

When a category type external resource is configured in Web Filter profile, it will be treated as a Remote Category. If the URL in a HTTP/HTTPS request matches the entry inside this external resource file, it will be treated as the Remote Category and follow the action configured for this category in Web Filter profile.

External resource type category also can be used in ssl-ssh-profile configuration for category-based SSL-Exempt. When a Remote Category is configured in ssl-ssh-profile SSL-Exempt, if a HTTPS request’s URL matches in the Remote Category’s entry list, HTTPS request with destination for this URL can be exempted from SSL Deep Inspection. External Resources File Format

External Resources File should follow the following requirements:

The external resource file is a plain text format file and each URL list/IP Address/Domain Name occupies a single line. l The file is limited to 10M, line is limited 128K (128 x 1024 entries), and the line length limit is 4K characters. l The entries limited also follow table size limitation defined by CMDB per model. l The external resource update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
The external resource type as category (URL list) and domain (Domain Name list) share the category number range 192-221 (total 30 categories). l There’s no duplicated entry validation for external resources file (entry inside each file or inside different files).

For URL list (Type=category):

Scheme is optional, and will be truncated if found (http://, https:// is not needed).

Wildcard (*) is supported (from 6.2). It supports the ‘*’ at beginning and ending of URL, and not in the middle of URL as follows:

+ support *.domain2.com, domain.com.* + not support: domain3.*.com IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).

IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.

Configure External Resources from CLI

We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global, configure the external resource file location and specify the resource type.

Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:

config system external-resource edit “Ext-Resource-Type-as-Category-1”

set type category <—-

set category 192 <—-

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-

1.txt” set refresh-rate 1

end

Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example above, URL list in “Ext-Resource-Type-as-Category-1.txt” file will be treated as remote category (category-id 192). Configure the action for this remote category in Web Filter profile and apply it in the policy:

config webfilter profile edit “webfilter” config ftgd-wf unset options config filters edit 1 set category 2 set action warning

next ……

edit 24 set category 192 <—set action block

next edit 25 set category 221 set action warning

next edit 26 set category 193

end

set log-all-url enable

end

config firewall policy edit 1 set name “WebFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set webfilter-profile “webfilter” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Configure External Resources from GUI

Configure, edit or view the Entries for external resources from GUI.

GUI > Global > Fabric Connectors page:
GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type FortiGuard
GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.
GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just configured. It is shown in the Edit Click View Entries to view the entry list in the external resources file:
GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web

Filter Profile:

Log Example

If a HTTP/HTTPS request URL matched in Remote Category’s entry list, it will override its original FGD URL rating and it is treated as Remote Category.

GUI > VDOM > Log & Report > Web Filter:

CLI Example:

1: date=2019-01-18 time=15:49:15 logid=”0316013056″ type=”utm” subtype=”webfilter” eventtype=”ftgd_blk” level=”warning” vd=”vdom1″ eventtime=1547855353 policyid=1 sessionid=88922 srcip=10.1.100.18 srcport=39886 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”blocked” reqtype=”direct” url=”/” sentbyte=752 rcvdbyte=10098 direction=”outgoing” msg=”URL belongs to a denied category in policy” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″

Remote Category in ssl-ssh-profile category-based SSL-Exempt

Remote Category can be applied in ssl-ssh-profile category-based SSL-Exempt.

GUI > VDOM > Security Profiles > SSL/SSH Inspection:

HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.

Log example:

3: date=2019-01-18 time=16:06:21 logid=”0345012688″ type=”utm” subtype=”webfilter” eventtype=”ssl-exempt” level=”information” vd=”vdom1″ eventtime=1547856379 policyid=1 sessionid=90080 srcip=10.1.100.18 srcport=39942 srcintf=”port10″ srcintfrole=”undefined” dstip=216.58.193.67 dstport=443 dstintf=”port9″ dstintfrole=”undefined” proto=6 service=”HTTPS” hostname=”www.fortinet.com” profile=”webfilter” action=”passthrough” reqtype=”direct” url=”/” sentbyte=517 rcvdbyte=0 direction=”outgoing” msg=”The SSL session was exempted.” method=”domain” cat=192 catdesc=”Ext-Resource-Type-as-Category-1″ urlsource=”exempt_type_user_cat”

Local Category and Remote Category Priority

Web Filter can have both local category and remote category at the same time. There’s no duplication check between local category URL override and remote category resource file. For example, a URL like www.example.com may be shown both in remote category entry list and in FortiGate’s local category URL override configuration. We recommend avoiding this scenario since FortiGate does not check for duplicates. However, if a URL is duplicated in both local category and remote category, it is rated as local category.