Category Archives: FortiOS

Configuring Web Filter Profiles

Enabling FortiGuard Web Filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

General configuration steps

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

3. Select an Inspection Mode.

4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.

5. Configure any Quotas needed. (Proxy Mode)

6. Allow blocked override if required.(Proxy Mode)

7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)

8. Configure Static URL Settings. (All Modes)

9. Configure Rating Options. (All Modes)

10. Configure Proxy Options.

11. Save the filter and web filter profile.

12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

Getting to the Edit Web Filter Profile configuration window

Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional, so to avoid redundancy we will treat each of these sections of options separately, but without dupicating the common instructions of how to get to the profile editing page. Those instructions are here.

1. Go to Security Profiles > Web Filter.

2. Determine if you wish to create a new profile or edit an existing one.

a. New profile:

i. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) or…

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the Create

New icon in the upper left.

b. Edit existing profile:

i. Select the name of the profile that you wish to edit from the dropdown menu.

ii. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Select the name of the profile from the list.

3. Make sure there is a valid name, and comment if you want.

4. Configure the settings to best achieve your specific requirements

5. Select Apply or OK, depending on whether you are editing or creating a new profile..

In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to cat- egorize the site. Starting in version 5 of the firmware the parsed URL has been increase to 4Kilobytes, effectively doubling the length of a URL capable of being categorized.

To configure the FortiGuard Web Filter categories

1. Go to the Edit Web Filter Profile window.

2. The category groups are listed in a widget. You can expand each category group to view and configure every sub- category individually within the groups. If you change the setting of a category group, all categories within the group inherit the change.

3. Select the category groups and categories to which you want to apply an action.

To assign an action to a category left click on the category and select from the pop up menu.

4. Enable Enforce Quota to activate the quota for the selected categories and category groups.

5. Select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

6. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully cat- egorize it.

The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.

Configuring FortiGuard Category Quotas

1. Go to the Edit Web Filter Profile window

2. Verify that the categories that need to have quotas on them are set to one of the actions:

Monitor
Warning
Authenticate

3. Select the blue triange expand symbol to show the widget for Quotas

4. Select Create New or Edit.

5. In the New/Edit Quota window that pops up enable or disable the specific categories that the quota will apply to.

6. At the bottom of the widget, select Hours, Minutes, or Seconds and enter the number of hours, minutes, or seconds. This is the daily quota allowance for each user.

7. Select Apply or OK.

8. Continue with any other configuration in the profile

9. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

Configure Allowed Blocked Overrides

1. Go to the Edit Web Filter Profile window.

2. Enable Allow Blocked Override

3. In the Apply to Group(s) field select the desired User Group

4. In the Assign to Profile field, select the desired profile

Configure Search Engine Section

There are 2 primary configuration settings in this section.

Enable Safe Search

To enable the Safe Search settings

1. Go to the Edit Web Filter Profile window.

2. Enable Safe Search

3. Enable Search Engine Safe Search

4. Enable YouTube Filter

a. Enter the YouTube User ID in the Text field

Log All Search Keywords

In the GUI, the configuration setting is limited to a checkbox.

Configure Static URL Filter

Web Content Filter

To enable the web content filter and set the content block threshold

1. Go to the Edit Web Filter Profile window.

2. In the Static URL Filter section enable Web Content Filter.

3. Select Create New.

4. Select the Pattern Type.

5. Enter the content Pattern.

6. Enter the Language from the dropdown menu.

7. Select Block or Exempt, as required, from the Action list.

8. Select Enable.

9. Select OK.

Configure Rating Options

Allow Websites When a Rating error Occurs

In the GUI, the configuration setting is limited to a checkbox.

Rate URLs by Domain and IP Address

In the GUI, the configuration setting is limited to a checkbox.

Block HTTP Redirects by Rating

In the GUI, the configuration setting is limited to a checkbox.

Rate Images by URL (Blocked images will be replaced with blanks)

In the GUI, the configuration setting is limited to a checkbox.

Configure Proxy Options

Restrict Google Account Usage to Specific Domains

Configuring the feature in the GIU

Go to Security Profiles > Web Filter.

In the Proxy Options section, check the box next to Restrict to Corporate Google Accounts Only. Use the Create New link within the widget to add the appropriate Google domains that will be allowed.

Configuring the feature in the CLI

To configure this option in the CLI, the URL filter must refer to a web-proxy profile that is using the Modifying HTTP Request Headers feature. The command is only visible when the action for the entry in the URL filter is set to either allow or monitor.

1. Configure the proxy options:

config web-proxy profile edit “googleproxy”

config headers edit 1

set name “X-GoogApps-Allowed-Domains” set content “fortinet.com, Ladan.ca” end

end end

end

2. Set a web filter profile to use the proxy options

config webfilter urlfilter edit 1

config entries

edit “*.google.com” set type wildcard

set action {allow | monitor}

set web-proxy-profile <profile>

end end

In the CLI, you can also add, modify, and remove header fields in HTTP request when scanning web traffic in proxy-mode. If a header field exists when your FortiGate receives the request, its content will be modified based on the configurations in the URL filter.

Web Resume Download block

In the GUI, the configuration setting is limited to a checkbox.

Provide Details for Blocked HTTP 4xx and 5xx Errors In the GUI, the configuration setting is limited to a checkbox. HTTP POST Action

Remove Java Applet Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove ActiveX Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove Cookie Filter

In the GUI, the configuration setting is limited to a checkbox.

Web filtering example

Web filtering is particularly important for protecting school-aged children. There are legal issues associated with improper web filtering as well as a moral responsibility not to allow children to view inappropriate material. The key is to design a web filtering system in such a way that students and staff do not fall under the same web filter profile in the FortiGate configuration. This is important because the staff may need to access websites that are off-limits to the students.

School district

The background for this scenario is a school district with more than 2300 students and 500 faculty and staff in a preschool, three elementary schools, a middle school, a high school, and a continuing education center. Each elementary school has a computer lab and the high school has three computer labs with connections to the Internet. Such easy access to the Internet ensures that every student touches a computer every day.

With such a diverse group of Internet users, it was not possible for the school district to set different Internet access levels. This meant that faculty and staff were unable to view websites that the school district had blocked. Another issue was the students’ use of proxy sites to circumvent the previous web filtering system. A proxy server acts as a go-between for users seeking to view web pages from another server. If the proxy server has not been blocked by the school district, the students can access the blocked website.

When determining what websites are appropriate for each school, the district examined a number of factors, such as community standards and different needs of each school based on the age of the students.

The district decided to configure the FortiGate web filtering options to block content of an inappropriate nature and to allow each individual school to modify the options to suit the age of the students. This way, each individual school was able to add or remove blocked sites almost immediately and have greater control over their students’ Internet usage.

In this simplified example of the scenario, the district wants to block any websites with the word example on them, as well as the website www.example.com. The first task is to create web content filter lists for the students and the teachers.

Create a Webfilter for the students

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Students” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

Potentially Liable
Adult/Mature Content
Security Risk

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii. For the Language field, choose Western

iv. For the Action field, select “Block” v. For the Status field, check Enable. vi. Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

Create a Webfilter for the Teachers

It might be more efficient if the Teacher Web Content List included the same blocked content as the student list. From time to time a teacher might have to view a blocked page. It would then be a matter of changing the Action from Block to Allow as the situation required. The following filter is how it could be set up for the teachers to allow them to see the “example” content if needed while keeping the blocking inappropriate material condition.

1. Go to Security Profiles > Web Filter.

2. Select the Create New icon.

3. Enter the name “Teachers” in the name field.

4. For the Inspection mode, select Proxy.

5. Enable FortiGuard Categories.

a. Set to block the following categories:

Potentially Liable
Adult/Mature Content
Security Risk

URL Content

6. Check Enable Safe Search

a. Check Search Engine Safe Search – Google, Yahoo!, Bing, Yandex

b. Check YouTube Education Filter and enter the YouTube User ID

7. In the Static URL Filter section, check Enable URL Filter.

a. In the URL Filter widget, Select Create New.

i. In the URL field, enter *example*.* ii. For the Type field, select Wildcard iii. For the Action field, select Block iv. For the Status field, check enable v. Select OK

Web Content Filter

8. In the Static URL Filter section, check Enable Web Content Filter.

a. In the Web Content Filter widget, select Create New.

b. Enter the name “Teachers” in the name field.

i. For the Pattern Type field, select

ii. In the Pattern field, enter “example”

iii. For the Language field, choose Western

iv. For the Action field, select “Exempt”

v. For the Status field, check Enable.

vi. Select OK

9. Check Rate URLs by Domain and IP Address

10. Check Block HTTP Redirects by Rating

11. Check Rate Images by URL (Blocked images will be replaced with blanks)

12. Select OK

To create a security policy for the students

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage student traffic.

3. Enable Web Filter.

4. Select Students from the web filter drop-down list.

5. Select OK.

To create a security policy for Teachers

1. Go to Policy & Objects > IPv4 Policy.

2. Select the policy being used to manage teacher traffic.

3. Enable Web Filter.

4. Select Teachers from the web filter drop-down list.

5. Select OK.

6. Make sure that the student policy is in the sequence before the teachers’ policy.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Advanced web filter configurations

Leave a reply

Advanced web filter configurations

Allow websites when a rating error occurs

Enable to allow access to web pages that return a rating error from the FortiGuard Web Filter service.

If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting determines what access the FortiGate unit allows until contact is re-established. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites.

ActiveX filter

Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly with this filter enabled.

Block HTTP redirects by rating

Enable to block HTTP redirects.

Many web sites use HTTP redirects legitimately but in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect.

This option is not supported for HTTPS.

Block Invalid URLs

Select to block web sites when their SSL certificate CN field does not contain a valid domain name.

FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs:

If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name.
If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering.

Enabling the Web Filter profile to block a particular category and enabling the Applic- ation Control profile will not result in blocking the URL. This occurs because Proxy and Flow based profiles cannot operate together.

To ensure replacement messages show up for blocked URLs, switch the Web Filter to Flow based inspection.

Cookie filter

Enable to filter cookies from web traffic. Web sites using cookies may not function properly with this enabled.

Provide Details for Blocked HTTP 4xx and 5xx Errors

Enable to have the FortiGate unit display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering.

HTTP POST action

Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.

The available actions include:

Comfort

Use client comforting to slowly send data to the web server as the FortiGate unit scans the file. Use this option to prevent a server time-out when scanning or other filtering is enabled for outgoing traffic.

The client comforting settings used are those defined in the Proxy Options profile selected in the security policy.

Block

Block the HTTP POST command. This will limit users from sending information and files to web sites.

When the post request is blocked, the FortiGate unit sends the http-post-block replacement message to the web browser attempting to use the command.

Java applet filter

Enable to filter java applets from web traffic. Web sites using java applets may not function properly with this filter enabled.

Rate Images by URL

Enable to have the FortiGate retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category.

Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF.

Rate URLs by Domain and IP Address

Enable to have the FortiGate unit request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter.

If the rating determined by the domain name and the rating determined by the IP address defer the Action that is enforce will be determined by a weighting assigned to the different categories. The higher weighted category will take precedence in determining the action. This will have the side effect that sometimes the Action will be determined by the classification based on the domain name and other times it will be determined by the classification that is based on the IP address.

FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed.

An example of how this would work would be if a URL’s rating based on the domain name indicated that it belonged in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight the effective action is Block.

Web resume download block

Enable to prevent the resumption of a file download where it was previously interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off.

This prevents the unintentional download of viruses hidden in fragmented files.

Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. Enabling this option may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager.

Restrict Google account usage to specific domains

This feature allow the blocking of access to some Google accounts and services while allowing access to accounts that are included in the domains specified in the exception list.

Block non-English character URLs

The FortiGate will not successfully block non-English character URLs if they are added to the URL filter. In order to block access to URLs with non-English characters, the characters must be translated into their international characters.

Browse to the non-English character URL (for example, http://www.fortinet.com/pages/ท น -ไ ม ม เ ศ ษ ร ฐป ร ะ ห า ร ใ ห ใ ค ร แ ด ก /338419686287505?ref=stream).

On the FortiGate, use the URL shown in the FortiGate GUI and add it the list of blocked URLs in your URL filter (for example, http://www.fortinet.com/pages/%E0%B8%97%E0%B8%B5%E0%B9%88%E0%B8%99%E0%B8%B5%E0

%B9%88-%E0%B9%84%E0%B8%A1%E0%B9%88%E0%B8%A1%E0%B8%B5%E0%B9%80%E0%B8% A8%E0%B8%A9%E0%B8%A3%E0%B8%B1%E0%B8%90%E0%B8%9B%E0%B8%A3%E0%B8%B0%E

0%B8%AB%E0%B8%B2%E0%B8%A3%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B9%83%E0%B8

%84%E0%B8%A3%E0%B9%81%E0%B8%94%E0%B8%81/338419686287505?ref=stream). Once added, further browsing to the URL will result in a blocked page.

CLI Syntax

config webfilter urlfilter edit 1

set name “block_international_character_urls” config entries

edit 1

set url “www.fortinet.com/pages/2.710850E-3120%B8%E0%B8%B53.231533E-

3170%B9%E0%B8%E0%B8%B53.231533E-3170%B9%88-3.230415E-

3170%B9%E0%B80X0.000000063CD94P-102211.482197E-

3230%B9%E0%B80X0.0007FBFFFFCFP-102210.000000E+000%B8%B51.828043E-

3210%B9%E0%B80X0P+081.828043E-3210%B80X0P+092.710850E-

3120%B80X0.0000000407ED2P-102233.236834E-3170%B8%B19.036536E-

3130%B8%E0%B8%9B4.247222E-3140%B80X0P+039.036683E-3130%B8%B02.121996E-

3130%B80X0.0000000000008P-1022B2.710850E-3120%B8%B21.482197E-

3230%B80X0P+030.000000E+000%B9%E0%B80X0P+0B2.710850E-

3120%B9%E0%B9%E0%B8%E0%B80X0.0000000408355P-102232.023693E-

3200%B9%E0%B8%E0%B8%81/338419686287505?ref=stream” set action block

next end

config webfilter urlfilter edit 2

set name “block_international_character_urls” next

end

config webfilter profile

edit “block_international_character_urls” next

end

config firewall policy edit 3

set uuid cf80d386-7bcf-51e5-6e87-db207e3f0fa8 set srcintf “port1”

set dstintf “port2” set srcaddr “all” set dstaddr “all” set action accept

set schedule “always” set service “ALL”

set utm-status enable set logtraffic all

set webfilter-profile “block_international_character_urls” set profile-protocol-options “default”

set ssl-ssh-profile “certificate-inspection” set nat enable

next end

WebSense web filtering through WISP

WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to WebSense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

In order to use WebSense’s web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Syntax

config web-proxy wisp set status enable

set server-ip 72.214.27.138 set max-connection 128

end

config webfilter profile edit “wisp_only”

set wisp enable next

end

Web content filter

Leave a reply

Web content filter

You can control web content by blocking access to web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can also add words, phrases, patterns, wild cards and Perl regular expressions to match content on web pages. You can add multiple web content filter lists and then select the best web content filter list for each web filter profile.

Enabling web content filtering involves three separate parts of the FortiGate configuration.

The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day.
The web filter profile specifies what sort of web filtering is applied.
The web content filter list contains blocked and exempt patterns.

The web content filter feature scans the content of every web page that is accepted by a security policy. The system administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases in the page. If the sum is higher than a threshold set in the web filter profile, the FortiGate unit blocks the page.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create a web content filter list.

2. Add patterns of words, phrases, wildcards, and regular expressions that match the content to be blocked or exempted.

3. You can add the patterns in any order to the list. You need to add at least one pattern that blocks content.

4. In a web filter profile, enable the web content filter and select a web content filter list from the options list. To complete the configuration, you need to select a security policy or create a new one. Then, in the security policy, enable Webfilter and select the appropriate web filter profile from the list.

Creating a web filter content list

You can create multiple content lists and then select the best one for each web filter profile. Creating your own web content lists can be accomplished only using the CLI.

This example shows how to create a web content list called inappropriate language, with two entries, offensive and rude.

To create a web filter content list

config webfilter content edit 3

set name “inappropriate language” config entries

edit offensive

set action block set lang western

set pattern-type wildcard set score 15

set status enable next

edit rude

set action block set lang western

set pattern-type wildcard set score 5

set status enable end

end end

Configuring a web content filter list

Once you have created the web filter content list, you need to add web content patterns to it. There are two types of patterns: Wildcard and Regular Expression.

You use the Wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use the wildcard symbols, such as “*” or “?”, to represent one or more characters. For example, as a wildcard expression, forti*.com will match fortinet.com and forticare.com. The “*” represents any kind of character appearing any number of times.

You use the Regular Expression setting to block or exempt patterns of Perl expressions, which use some of the same symbols as wildcard expressions, but for different purposes. The “*” represents the character before the symbol. For example, forti*.com will match fortiii.com but not fortinet.com or fortiice.com. The symbol “*” represents “i” in this case, appearing any number of times. RP: Add a regex example.

The maximum number of web content patterns in a list is 5000.

How content is evaluated

Every time the web content filter detects banned content on a web page, it adds the score for that content to the sum of scores for that web page. You set this score when you create a new pattern to block the content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the sum of scores equals or exceeds the threshold score, the web page is blocked. The default score for web content filter is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

Banned words or phrases are evaluated according to the following rules:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.
The score for any word in a phrase without quotation marks is counted.
The score for a phrase in quotation marks is counted only if it appears exactly as written.

The following table describes how these rules are applied to the contents of a web page. Consider the following, a web page that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web page.”

Banned Pattern Rules

Banned pattern Assigned score Score added to the sum for the entire page Threshold Comment score

word 20 20 20 Appears twice but only counted once. Web page is blocked.

word phrase

20 40 20 Each word appears twice but only counted once giving a total score of 40. Web page is blocked

Banned pattern

Assigned score

Score added to the sum for the entire page

Threshold Comment score

word sen- tence

“word sentence”

20 20 20 “word” appears twice, “sentence” does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. Web page is blocked.

20 0 20 “This phrase does not appear exactly as written.

Web page is allowed.

“word or phrase”

20 20 20 This phrase appears twice but is counted only once. Web page is blocked.

Enabling the web content filter and setting the content threshold

When you enable the web content filter, the web filter will block any web pages when the sum of scores for banned content on that page exceeds the content block threshold. The threshold will be disregarded for any exemptions within the web filter list.

SafeSearch Fortinet Settings

Leave a reply

SafeSearch

SafeSearch is a feature of popular search sites that prevents explicit web sites and images from appearing in search results. Although SafeSearch is a useful tool, especially in educational environments, the resourceful user may be able to simply turn it off. Enabling SafeSearch for the supported search sites enforces its use by rewriting the search URL to include the code to indicate the use of the SafeSearch feature. For example, on a Google search it would mean adding the string “&safe=active” to the URL in the search.

The search sites supported are:

Google
Yahoo
Bing
Yandex

Enabling SafeSearch — CLI

config webfilter profile edit default

config web

set safe-search url end

end

This enforces the use of SafeSearch in traffic controlled by the firewall policies using the web filter you configure.

Search Keywords

There is also the capability to log the search keywords used in the search engines.

YouTube Education Filter

YouTube for Schools is a way to access educational videos from inside a school network. This YouTube feature gives schools the ability to access a broad set of educational videos on YouTube EDU and to select the specific videos that are accessible from within the school network.

Before this feature can be used an account has to be set up for the school with YouTube. Once the account is set up a unique ID will be provided. This ID becomes part of the filter that is used to all access to the educational content of YouTube for use in schools even if YouTube is blocked by the policy.

More details can be found by going to http://www.youtube.com/schools.

Enabling YouTube Education Filter in CLI

config webfilter profile edit default

config web

set safe-search url header

set youtube-edu-filter-id ABCD1234567890abcdef end

end

Static URL Filter

You can allow or block access to specific URLs by adding them to the Web Site Filter list. You add the URLs by using patterns containing text and regular expressions. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.

URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp:// ftp.example.com. Instead, use firewall policies to deny ftp connections.

When adding a URL to the URL filter list, follow these rules:

Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls access to the news page on this web site.
To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.

URLs with an action set to exempt or monitor are not scanned for viruses. If users on the network download files through the FortiGate unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it so the FortiGate unit does not virus scan files downloaded from this URL.

URL formats

When adding a URL to the URL filter list, follow these rules:

How URL formats are detected when using HTTPS

If your unit does not support SSL content scanning and inspection or if you have selected the URL filtering option in web content profile for HTTPS content filtering mode under Protocol Recognition, filter HTTPS traffic by entering a top level domain name, for example, www.example.com. HTTPS URL filtering of encrypted sessions works by extracting the CN from the server certificate during the SSL negotiation. Since the CN only contains the domain name of the site being accessed, web filtering of encrypted HTTPS sessions can only filter by domain names.

If your unit supports SSL content scanning and inspection and if you have selected Deep Scan, you can filter HTTPS traffic in the same way as HTTP traffic.

How URL formats are detected when using HTTP

URLs with an action set to exempt are not scanned for viruses. If users on the network download files through the unit from trusted web site, add the URL of this web site to the URL filter list with an action set to exempt so the unit does not virus scan files downloaded from this URL.

Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls the news page on this web site.
To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on.
Fortinet URL filtering supports standard regular expressions.

If virtual domains are enabled on the unit, web filtering features are configured glob- ally. To access these features, select Global Configuration on the main menu.

URL Filter actions

You can select one of four actions for how traffic will be treated as it attempts to reach a site in the list.

Block

Attempts to access any URLs matching the URL pattern are denied. The user will be presented with a replacement message.

Allow

Any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning.

Allow is the default action. If a URL does not appear in the URL list, it is permitted.

Monitor

Traffic to, and reply traffic from, sites matching a URL pattern with a monitor be allowed through in the same way as the “Allow” action. The difference with the Monitor action being that a log message will be generated each time a matching traffic session is established. The requests will also be subject to all other Security Profiles inspections that would normally be applied to the traffic.

Exempt

Exempt allows trusted traffic to bypass the antivirus proxy operations, but it functions slightly differently. In general, if you’re not certain that you need to use the Exempt action, use Monitor.

HTTP 1.1 connections are persistent unless declared otherwise. This means the connections will remain in place until closed or the connection times out. When a client loads a web page, the client opens a connection to the web server. If the client follows a link to another page on the same site before the connection times out, the same connection is used to request and receive the page data.

When you add a URL pattern to a URL filter list and apply the Exempt action, traffic sent to and replies traffic from sites matching the URL pattern will bypass all antivirus proxy operations. The connection itself inherits the exemption. This means that all subsequent reuse of the existing connection will also bypass all antivirus proxy operations. When the connection times out, the exemption is cancelled.

For example, consider a URL filter list that includes example.com/files configured with the Exempt action. A user opens a web browser and downloads a file from the URL example.com/sample.zip. This URL does not match the URL pattern so it is scanned for viruses. The user then downloads example.com/files/beautiful.exe and since this URL does match the pattern, the connection itself inherits the exempt action. The user then downloads example.com/virus.zip. Although this URL does not match the exempt URL pattern, a previously visited URL did, and since the connection inherited the exempt action and was re-used to download a file, the file is not scanned.

If the user next goes to an entirely different server, like example.org/photos, the connection to the current server cannot be reused. A new connection to example.org is established. This connection is not exempt. Unless the user goes back to example.com before the connection to that server times out, the server will close the connection. If the user returns after the connection is closed, a new connection to example.com is created and it is not exempt until the user visits a URL that matches the URL pattern.

Web servers typically have short time-out periods. A browser will download multiple components of a web page as quickly as possible by opening multiple connections. A web page that includes three photos will load more quickly if the browser opens four connections to the server and downloads the page and the three photos at the same time. A short time-out period on the connections will close the connections faster, allowing the server to avoid unnecessarily allocating resources for a long period. The HTTP session time-out is set by the server and will vary with the server software, version, and configuration.

Using the Exempt action can have unintended consequences in certain circumstances. You have a web site at example.com and since you control the site, you trust the contents and configure example.com as exempt. But example.com is hosted on a shared server with a dozen other different sites, each with a unique domain name. Because of the shared hosting, they also share the same IP address. If you visit example.com, your connection your site becomes exempt from any antivirus proxy operations. Visits to any of the 12 other sites on the same server will reuse the same connection and the data you receive is exempt from scanned.

Use of the Exempt action is not suitable for configuration in which connections through the FortiGate unit use an external proxy. For example, you use proxy.example.net for all outgoing web access. Also, as in the first example, URL filter list that includes a URL pattern of example.com/files configured with the Exempt action. Users are protected by the antivirus protection of the FortiGate unit until a user visits a URL that matches the of example.com/files URL pattern. The pattern is configured with the Exempt action so the connection to the server inherits the exemption. With a proxy however, the connection is from the user to the proxy. Therefore, the user is entirely unprotected until the connection times out, no matter what site he visits.

Ensure you are aware of the network topology involving any URLs to which you apply the Exempt action.

Status

The Web Site Filter has the option to either enable or disable individual web sites in the list. This allows for the temporary removal of the actions against a site so that it can be later reengaged without having to rewrite the configuration.

Configuring a URL filter

Each URL filter list can have up to 5000 entries. For this example, the URL www.example*.com will be used. You configure the list by adding one or more URLs to it.

To add a URL to a URL filter

1. Go to Security Profiles > Web Filter.

2. Select a web filter to edit.

3. Under Static URL Filter, enable URL Filter, and select Create New.

4. Enter the URL, without the “http”, for example: example*.com.

5. Select a Type: Simple (see below), Wildcard, or Regular Expression. In this example, select Wildcard.

6. Select the Action to take against matching URLs: Exempt, Block, Allow, or Monitor.

7. Select Enable.

8. Select OK.

‘Simple‘ filter type

If you select the Simple filter type for a URL filter, the syntax is performing an exact match. Note, however, that the domain and path are separate entities in HTTP despite the fact that a user types them as a single entity and, in the case of ‘simple’, the rules for each part (domain and path) are different.

The ‘domain’ part

For the domain part, the goal of the ‘simple’ format is to make it easy to block a domain and all its subdomains, such that the admin only has to type “address.xy” to block “address.xy”, “www.address.com“, “talk.address.xy”, etc. but not block “youraddress.xy” or “www.youraddress.xy” which are different domains from “address.xy”.

Also, the actual domain does not include http:// or https:// so this should not be entered or the URL filter will try to match a domain starting with http. For this reason, when you enter http:// in the URL filter via the GUI, it is automatically removed.

A trailing ‘/‘ with the domain is not needed. The GUI URL filter will automatically trim this, but when using the API to provide the per-user BWL it will not!

Please take this into account. Better not to use it as it might give unexpected results.

The ‘path’ part

For the path part, an exact match takes place. For example:

www.address.xy/news

blocks anything that starts with that exact path. So this matches:

www.address.xy/newsies www.address.xy/newsforyou www.address.xy/news/co etc.

Also:

www.address.xy/new

likewise blocks the same as above but includes:

/newt

/newp etc.

which is a much broader filter, matching:

www.address.xy/newstand/co www.address.xy/news/co

etc.

In other words, the more you specify of the path, the more strictly it will match.

Here as well a trailing ‘/‘ with the URL path is not needed, the GUI URL filter will auto- matically trim this, but when using the API to provide the per-user BWL it will not!

Please take this into account. Better not to use it as it might give unexpected results.

Referer URL

A new variable has been added to the Static URL Filter, referrer-host. If a referer is specified, the hostname in the referer field of the HTTP require will be compared for any entry that contains the matching URL. If the referer matches, then the specified action will be performed by proxy.

Configuring in the GUI

The configuration can be done in the GUI but only if advance webfiltering features have been enabled by entering the following commands in the CLI:

config system global

set gui-webfilter-advanced enable end

After this command is used, a new column will be created in Security Profiles > Web Filter to set the referer.

Configuring in the CLI

When specifying the URL filter, it needs to be identified by its ID. The URLs are listed under each entry. To find the ID number:

config webfilter urlfilter

edit ?

A list of the current URL filters will be listed with their ID numbers in the left column. The syntax in the CLI for configuring an entry is:

config webfilter urlfilter

edit <ID>

config entries edit 1

set url <url>

set referrer-host <url>

set type {simple | regex | wildcard}

set action {block | allow | monitor | exempt}

set status {enable | disable}

end end

end

Overriding FortiGuard website categorization

Leave a reply

Overriding FortiGuard website categorization

In most things there is an exception to the rule. When it comes to the rules about who is allowed to go to which websites in spite of the rules or in this case, policies, it seems that there are more exceptions than to most rules. There are numerous valid reasons and scenarios for exceptions so it follows that there needs to be a way to accommodate this exceptions.

The different methods of override

There are actually two different ways to override web filtering behavior based on FortiGuard categorization of a websites. The second method has 2 variations in implementation and each of the three has a different level of granularity.

1. Using Alternate Categories

Rating Override

This method manually assigns a specific website to a different Fortinet category or a locally created category.

2. Using Alternate Profiles

Administrative Override or Allow Blocked Override

In this method all of the traffic going through the FortiGate unit, using identity based policies and a Web Filtering profile has the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

Using Alternate Categories

Web Rating Overrides

There are two approached to overriding the FortiGuard Web Filtering. The first is an identity based method that can be configured using a combination of identity based policies and specifically designed webfilter profiles. This has been addressed in the Firewall Handbook.

The second method is the system wide approach that locally (on the FortiGate Firewall) reassigns a URL to a different FortiGuard Category and even subcategory. This is where you can set assign a specific URL to the FortiGuard Category that you want to you can also set the URL to one of the Custom Categories that you have created

The Web Rating Overrides option is available because different people will have different criteria for how they categorize websites. Even is the criteria is the same an organization may have reason to block the bulk of a category but need to be able to access specific URLs that are assigned to that category.

A hypothetical example could be that a website, example.com is categorized as being in the Sub-Category Pornography. The law offices of Barrister, Solicitor and Lawyer do not want their employees looking at pornography at work so they have used the FortiGuard Webfilter to block access to sites that have been assigned to the Category “Pornography”. However, the owners of example.com are clients of the law office and they are aware that example.com is for artists that specialize in nudes and erotic images. In this case to approaches can be taken. The first is that the Rating Override function can be used to assign example.com to Nudity and Risque instead of Pornography for the purposes of matching the criteria that the law office goes by or the site can be assigned to a Custom Category that is not blocked because the site belongs to one of their clients and they always want to be able to access the site.

Another hypothetical example from the other side of the coin. A private school has decided that a company that specializes in the online selling of books that could be considered inappropriate for children because of their violent subject matter, should not be accessible to anyone in the school. The categorization by Fortinet of the site example2.com is General Interest – Business with the subcategory of Shopping and Auction, which is a category that is allowed at the school. In this case they school could reassign the site to the Category Adult Material which is a blocked category.

Local or Custom Categories

User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a web filter profile. Users can rate URLs based on the local categories.

Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed.

The local assignment of a category overrides the FortiGuard server ratings and appear in reports as “Local” Categories or “Custom” Categories depending on the context.

In the CLI, they are referred to as Local categories. To create a Local Category:

config webfilter ftgd-local-cat

edit local_category_1 set id 140

end

In the GUI they are referred to as Custom Categories. There is a way to create a new category in the Web Based

Manager.

1. Go to Security Profiles > Web Rating Overrides.

2. Instead of creating a new override, you can choose the “Custom Categories” icon in the top menu bar.

3. From the new window select Create New.

4. A new row will appear at the bottom of the list of categories with a field on the left highlighted and the message “This field is required”. Enter the name of the custom category in this field.

5. Select Enter.

Configuring Rating Overrides

1. Go to Security Profiles > Web Rating Overrides.

2. Select Create New

3. Type in the URL field the URL of the Website that you wish to recategorize.

4. Select the Lookup Rating button to verify the current categorization that is being assigned to the URL.

5. Change the Category field to one of the more applicable options from the drop down menu.

6. Change the Sub–Category field to a more narrowly defined option within the main category.

7. Select OK.

It is usually recommended that you choose a category that you know will be addressed in existing Web Filter profiles so that you will not need to engage in further con- figuration.

Using Alternate Profiles

Allow Blocked Overrides or Web Overrides

The Administrative Override feature for Web Filtering was added and is found by going to Security Profiles > Web Filter and then enabling Allow Blocked Override. This opening window will display a listing of all of the overrides of this type. The editing window referred to the configuration as an Administrative Override.

The Concept

When a Web filter profile is overridden it does not necessarily remove all control and restrictions that were previously imposed by the Web Filter. The idea is to replace a restrictive filter with a different one. In practice, it makes sense that this will likely be a profile that is less restrictive the the original one but there is nothing that forces this. The degree to which that the alternate profile is less restrictive is open. It can be as much as letting the user access everything on the Internet or as little as allowing only one addition website. The usual practice though is to have as few alternate profiles as are needed to allow approved people to access what they need during periods when an exception to the normal rules is needed but still having enough control that the organizations web usage policies are not compromised.

You are not restricted to having only one alternative profile as an option to the existing profile. The new profile depends on the credentials or IP address making the connection. For example, John connecting through the “Standard” profile could get the “Allow_Streaming_Video” profile while George would get the “Allow_Social_ Networking_Sites” profile.

The other thing to take into account is the time factor on these overrides. They are not indefinite. The longest that an override can be enabled is for 1 year less a minute. Often these overrides are set up for short periods of time for specific reasons such as a project. Having the time limitation means that the System Administrator does not have to remember to go back and turn the feature off after the project is finished.

Identity or Address

In either case what these override features do is, for specified users, user groups or IP addresses, allow sites blocked by Web Filtering profiles to be overridden for a specified length of time. The drawback of this method of override is that it takes more planning and preparation than the rating override method. The advantage is that once this has been set up, this method requires very little in the way of administrative overhead to maintain.

When planning to use the alternative profile approach keep in mind the following: In Boolean terms, one of the following “AND” conditions has to be met before overriding the Web Filter is possible

Based on the IP address:

The Web Filter profile must be specified as allowing overrides
AND the user’s computer is one of the IP addresses specified
AND the time is within the expiration time frame.

While the conditions are fewer for this situation there is less control over who has the ability to bypass the filtering configured for the site. All someone has to do is get on a computers that is allowed to override the Web Filter and they have access.

Based on user group:

The Web Filter profile must be specified as allowing overrides
AND the policy the traffic is going through must be identity based
AND the user’s credentials matches the identity credentials specified
AND the time is within the expiration time frame.

This method is the one most likely to be used as it gives more control in that the user has to have the correct credential and more versatile because the user can use the feature from any computer that uses the correct policy to get out on the Internet.

Settings

When using an alternate profile approach to Web Filter overrides the following settings are used to determine authentication and outcome. Not every setting is used in both methods but enough of them are common to describe them collectively.

Apply to Group(s)

This is found in the Allow Blocked Overrides configuration. Individual users can not be selected. You can select one or more of the User Groups that are recognized my the FortiGate unit, whether they are local to the system or from a third part authentication device such as a AD server through FSSO.

Original Profile

This is found in the Administrative Override configuration. In the Allow Blocked Overrides setting the configuration is right inside the profile so there was no need to specify which profile was the original one, but the Administrative Override setup is done separately from the profiles themselves.

Assign to Profile or New Profile

Despite the difference in the name of the field, this is the same thing in both variations of the feature. You select from the drop down menu the alternate Web Filter Profile that you wish to set up for this override.

Scope or Scope Range

When setting up the override in the “Allow Blocked Overrides” variation you are given a drop down menu next to the field name Scope while in the Administrative Override configuration you are asked to select a radio button next to the same options. In both cases this is just a way of selecting which form of credentials will be required to approve the overriding of the existing Web Filter profile.

When the Web Filter Block Override message page appears it will display a field named “Scope:” and depending on the selection, it will show the type of credentials used to determine whether or not the override is allowed. The available options are:

User

This means that the authentication for permission to override will be based on whether or not the user is using a specific user account.

User Group

This means that the authentication for permission to override will be based on whether on not the user account supplied as a credential is a member of the specified User Group.

This means that the authentication for permission to override will be based on the IP address of the computer that was used to authenticate. This would be used with computers that have multiple users. Example: If Paul logs on to the computer, engages the override using his credentials and then logs off, if the scope was based on the IP address of the computer, anybody logging in with any account on that computer would now be using the alternate override Web Filter profile.

When entering an IP address in the Administrative Override version, only individual IP addresses are allowed.

Differences between IP and Identity based scope

Using the IP scope does not require the use of an Identity based policy.
When using the Administrative Override variation and IP scope, you may not see a warning message when you change from using the original Web Filter profile to using the alternate profile. There is no requirement for credentials from the user so, if allowed, the page will just come up in the browser.
Ask This option is available only in the “Allowed Blocked Overrides” variation and when used configures the message page to ask which scope the user wished to use. Normally, when the page appears the scope options are greyed out an not editable, but by using the ask option the option is dark and the user can choose from the choice of:
User
User Group
IP Address
Duration Mode This option is available only in the “Allowed Blocked Overrides” variation. The Administrative Override sets a specified time frame that is always used for that override. The available options from the drop down menu are:
Constant Using this setting will mean that what ever is set as the duration will be the length of time that the override will be in effect. If the Duration variable is set to 15 minutes the length of the override will always be 15 minutes. The option will be visible in the Override message page but the setting will be greyed out.
Ask Using this setting will give the person the option of setting the duration to the override when it is engaged. The duration time which is greyed out if the Constant setting is used will be dark and editable. The user can set the duration in terms of Day, Hours and or Minutes.
Duration Duration is on of the areas where the two variations takes a different approach, on two aspects of the setting. As already indicated the “Administrative Override” only uses a static time frame there is no option for the user to select on the fly how long it will last. The other way in which the two variation differ is that the “Allow Blocked Overrides” starts the clock when the user logs in with his credentials. For example, if the duration is 1 hour and John initiates an override at 2:00 p.m. on January 1, at the end of that hour he will revert back to using the original profile but he can go back and re-authenticate and and start the process over again. The Administrative override variation starts the clock from when the override was configured, which is why is shows an expiration date and time when your are configuring it.

This option, which is available when the Duration Mode is set to Constant is the time in minutes that the override will last when engaged by the user.

When setting up a constant duration in the Web Based Interface, minutes is the only option for units of time. To set a longer time frame or to use the units of hours or days you can use the CLI.

config webfilter profile

edit <name of webfilter profile>

config override

set ovrd-dur <###d##h##m>

end

When configuring the duration you don’t have to set a value for a unit you are not using. If you are not using days or hours you can use:

set ovrd-dur 30m

instead of:

set ovrd-dur 0d0h30m

However, each of the units of time variable has their own maximum level:

###d cannot be more than 364

##h cannot be more than 23

##m cannot be more than 59

So the maximum length that the override duration can be set to is 364 days, 23 hours, and 59 minutes(a minute shy of 1 year) .

Using cookies to authenticate users in a Web Filter override

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.

CLI Syntax:

config webfilter cookie-ovrd set redir-host <name or IP> set redir-port <port>

end

config webfilter profile edit <name>

config override

set ovrd-cookie [allow | deny]

set ovrd-scope [user | user-group | ip | ask]

set profile-type [list | radius] set ovrd-dur-mode [constant | ask] set ovrd-dur <duration>

set ovrd-user-group <name>

set profile <name>

end end

end

FortiGuard Web Filtering Service

2 Replies

FortiGuard Web Filtering Service

FortiGuard Web Filter is a managed web filtering solution available by subscription from Fortinet. FortiGuard Web Filter enhances the web filtering features supplied with your FortiGate unit by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.

FortiGuard Web Filter includes over 45 million individual ratings of web sites that apply to more than two billion pages. Pages are sorted and rated into several dozen categories administrators can allow or block. Categories may be added or updated as the Internet evolves. To make configuration simpler, you can also choose to allow or block entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.

FortiGuard Web Filter ratings are performed by a combination of proprietary methods including text analysis, exploitation of the web structure, and human raters. Users can notify the FortiGuard Web Filter Service Points if they feel a web page is not categorized correctly, so that the service can update the categories in a timely fashion.

Before you begin to use the FortiGuard Web Filter options you should verify that you have a valid subscription to the service for your FortiGate firewall.

FortiGuard Web Filter and your FortiGate unit

When FortiGuard Web Filter is enabled in a web filter profile, the setting is applied to all firewall policies that use this profile. When a request for a web page appears in traffic controlled by one of these firewall policies, the URL is sent to the nearest FortiGuard server. The URL category is returned. If the category is blocked, the FortiGate unit provides a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard Web Filter Actions

The Possible Actions are:

Allow permits access to the sites within the category.
Block prevents access to sites within the category. Users attempting to access a blocked site will receive a replacement message explaining that access to the site is blocked.
Monitor permits and logs access to sites in the category. You may also enable user quotas when enabling the monitor action.
Warning presents the user with a message, allowing them to continue if they choose.
Authenticate requires a user authenticate with the FortiGate unit before being allowed access to the category or category group.
Disable prevents that category, and all sub-categories, from inspection. This permits access to the sites within the category.

The choices of actions available will depend on the mode of inspection.

Proxy – Allow, Block, Monitor, Warning, Authenticate and Disable.
Flow-based – Allow, Block & Monitor.
DNS – Allow, Block & Monitor.

FortiGuard Web Filtering categories

The following tables identify each web filtering category (organized by group) along with associated category IDs. For a complete description of each web filtering category, visit http://www.fortiguard.com/webfilter.

Potentially Liable

Category

Drug Abuse

Extremist Groups

Hacking

Proxy Avoidance

Illegal or Unethical

Plagiarism

Discrimination

Child Abuse

Explicit Violence

Adult/Mature Content

Category

Alternative Beliefs

Weapons (Sales)

Abortion

Marijuana

Other Adult Materials

Sex Education

Advocacy Organizations

Alcohol

Gambling

Tobacco

Nudity and Risque

Lingerie and Swimsuit

Pornography

Sports Hunting and War Games

Dating

Bandwidth Consuming

Category

Freeware and Software Downloads

Peer-to-peer File Sharing

File Sharing and Storage

Internet Radio and TV

Streaming Media and Download

Internet Telephony

Security Risk

Category

Malicious Websites

Spam URLs

Phishing

Dynamic DNS

General Interest – Personal

Category

Advertising

Travel

Brokerage and Trading

Personal Vehicles

Games

Dynamic Content

Web-based Email

Meaningless Content

Entertainment

Folklore

Arts and Culture

Web Chat

Education

Instant Messaging

Health and Wellness

Newsgroups and Message Boards

Job Search

Digital Postcards

Medicine

Child Education

News and Media

Real Estate

Social Networking

Restaurant and Dining

Political Organizations

Personal Websites and Blogs

Reference

Content Servers

Global Religion

Domain Parking

Shopping

Personal Privacy

Society and Lifestyles

Auction

Sports

General Interest – Business

Category

Finance and Banking

Information Technology

Search Engines and Portals

Armed Forces

General Organizations

Web Hosting

Business

Secure Websites

Information and Computer Security

Web-based Applications

Government and Legal Organizations

FortiGuard Web Filter usage quotas

In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily timed access quota by category, category group, or classification. Quotas allow access for a specified length of time, calculated separately for each user. Quotas are reset every day at midnight.

Users must authenticate with the FortiGate unit. The quota is applied to each user individually so the FortiGate must be able to identify each user. One way to do this is to configure a security policy using the identity based policy feature. Apply the web filter profile in which you have configured FortiGuard Web Filter and FortiGuard Web Filter quotas to such a security policy.

The use of FortiGuard Web Filter quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authen- tication is not required.

Editing the web filter profile resets the quota timers for all users.

When a user first attempts to access a URL, they’re prompted to authenticate with the FortiGate unit. When they provide their user name and password, the FortiGate unit recognizes them, determines their quota allowances, and monitors their web use. The category and classification of each page they visit is checked and FortiGate unit adjusts the user’s remaining available quota for the category or classification.

Quota hierarchy

You can apply quotas to categories and category groups. Only one quota per user can be active at any one time. The one used depends on how you configure the FortiGuard Web Filter.

When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the category of the URL. From highest to lowest, the relative priority of the quotas are:

1. Category

2. Category group

Web filter

Leave a reply

Web filter

This section describes FortiGate web filtering for HTTP traffic. The three main parts of the web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service interact with each other to provide maximum control over what the Internet user can view as well as protection to your network from many Internet content threats. Web Content Filter blocks web pages containing words or patterns that you specify. URL filtering uses URLs and URL patterns to block or exempt web pages from specific sources. FortiGuard Web Filtering provides many additional categories you can use to filter web traffic.

The following topics are included in this section:

Web filter concepts
Inspections Modes
FortiGuard Web Filtering Service
Overriding FortiGuard website categorization
SafeSearch
YouTube Education Filter
Static URL Filter
Web content filter
Advanced web filter configurations
Configuring Web Filter Profiles
Web filtering example

Web filter concepts

Web filtering is a means of controlling the content that an Internet user is able to view. With the popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security. Important reasons for controlling web content include:

lost productivity because employees are accessing the web for non-business reasons
network congestion — when valuable bandwidth is used for non-business purposes, legitimate business applications suffer
loss or exposure of confidential information through chat sites, non-approved email systems, instant messaging, and peer-to-peer file sharing
increased exposure to web-based threats as employees surf non-business-related web sites
legal liability when employees access/download inappropriate and offensive material
copyright infringement caused by employees downloading and/or distributing copyrighted material.

As the number and severity of threats increase on the World Wide Web, the risk potential increases within a company’s network as well. Casual non-business related web surfing has caused many businesses countless hours of legal litigation as hostile environments have been created by employees who download and view offensive content. Web-based attacks and threats are also becoming increasingly sophisticated. Threats and web-based applications that cause additional problems for corporations include:

spyware/grayware
phishing
pharming
instant messaging
peer-to-peer file sharing
streaming media
blended network attacks.

Spyware, also known as grayware, is a type of computer program that attaches itself to a user’s operating system. It does this without the user’s consent or knowledge. It usually ends up on a computer because of something the user does such as clicking on a button in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up windows, and even direct the user to a host web site. For further information, visit the FortiGuard Center.

Some of the most common ways of grayware infection include:

downloading shareware, freeware, or other forms of file-sharing services
clicking on pop-up advertising
visiting legitimate web sites infected with grayware.

Phishing is the term used to describe attacks that use web technology to trick users into revealing personal or financial information. Phishing attacks use web sites and email that claim to be from legitimate financial institutions to trick the viewer into believing that they are legitimate. Although phishing is initiated by spam email, getting the user to access the attacker’s web site is always the next step.

Pharming is a next generation threat that is designed to identify and extract financial, and other key pieces of information for identity theft. Pharming is much more dangerous than phishing because it is designed to be completely hidden from the end user. Unlike phishing attacks that send out spam email requiring the user to click to a fraudulent URL, pharming attacks require no action from the user outside of their regular web surfing activities. Pharming attacks succeed by redirecting users from legitimate web sites to similar fraudulent web sites that have been created to look and feel like the authentic web site.

Instant messaging presents a number of problems. Instant messaging can be used to infect computers with spyware and viruses. Phishing attacks can be made using instant messaging. There is also a danger that employees may use instant messaging to release sensitive information to an outsider.

Peer–to–peer (P2P) networks are used for file sharing. Such files may contain viruses. Peer-to-peer applications take up valuable network resources and may lower employee productivity but also have legal implications with the downloading of copyrighted or sensitive company material.

Streaming media is a method of delivering multimedia, usually in the form of audio or video to Internet users. Viewing streaming media impacts legitimate business by using valuable bandwidth.

Blended network threats are rising and the sophistication of network threats is increasing with each new attack. Attackers learn from each previous successful attack and enhance and update attack code to become more dangerous and fast spreading. Blended attacks use a combination of methods to spread and cause damage. Using virus or network worm techniques combined with known system vulnerabilities, blended threats can quickly spread through email, web sites, and Trojan applications. Examples of blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be designed to perform different types of attacks, which include disrupting network services, destroying or stealing information, and installing stealthy backdoor applications to grant remote access.

Different ways of controlling access

The methods available for monitoring and controlling Internet access range from manual and educational methods to fully automated systems designed to scan, inspect, rate and control web activity.

Common web access control mechanisms include:

establishing and implementing a well-written usage policy in the organization on proper Internet, email, and computer conduct
installing monitoring tools that record and report on Internet usage
implementing policy-based tools that capture, rate, and block URLs.

The final method is the focus of this topic. The following information shows how the filters interact and how to use them to your advantage.

Order of web filtering

The FortiGate unit applies web filters in a specific order:

1. URL filter

2. FortiGuard Web Filter

3. web content filter

4. web script filter

5. antivirus scanning.

If you have blocked a FortiGuard Web Filter category but want certain users to have access to URLs within that pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to specify which users have access to which blocked URLs and how long they have that access. For example, if you want a user to be able to access www.example.com for one hour, you can use the override to set up the exemption. Any user listed in an override must fill out an online authentication form that is presented when they try to access a blocked URL before the FortiGate unit will grant access to it.

If you have blocked a FortiGuard Web Filter category but want users within a specific Web Filtwer profile to have access to URLs within that pattern, you can use the following CLI command below to override (this will have no timeout affiliated to it):

CLI Syntax:

config webfilter profile edit <profile>

config web

set whitelist exempt-av exempt-dlp exempt-rangeblock extended-log-others end

end

This command will set a Web Filter profile that exempts AV, DLP, RangeBlock, and supports extended log by FortiGuard whitelist.

Inspection Modes

Proxy

Proxy-based inspection involves buffering the traffic and examining it as a whole before determining an action. The process of having the whole of the data to analyze allow this process to include more points of data to analyze than the flow-based or DNS methods.

The advantage of a proxy-based method is that the inspection can be more thorough than the other methods, resulting in fewer false positive or negative results in the analysis of the data.

Flow–based

The Flow-based inspection method examines the file as it passes through the FortiGate unit without any buffering. As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or web page.

The advantage of the flow-based method is that the user sees a faster response time for HTTP requests and there is less chance of a time-out error due to the server at the other end responding slowly.

The disadvantages of this method are that there is a higher probability of a false positive or negative in the analysis of the data and that a number of points of analysis that can be used in the proxy-based method are not available in the flow-based inspection method. There is also fewer actions available to choose from based on the categorization of the website by FortiGuard services.

DNS

The DNS inspection method uses the same categories as the FortiGuard Service. It is lightweight in terms of resource usage because it doesn’t involve any proxy-based or flow-based inspection.

A DNS request is typically the first part of any new session to a new website. This inspection method takes advantage of that and places the results of the categorization of websites right on the FortiGuard DNS servers. When the FortiGate resolves a URL, in addition to the IP address of the website it also receives a domain rating.

In the same way that the flow-based inspection method had fewer filters and points of analysis than the proxy- based inspection method, DNS has fewer settings still. All of its inspection is based on the IP address, the domain name and the rating provided by the FortiGuard DNS server.

If the DNS mode is chosen, the additional setting of a DNS action must be chosen. The options are:

Block – The traffic will be blocked and the session dropped.
Redirect – The session will be redirected to a message page indicating to the user what is happening.

Testing your antivirus configuration

Leave a reply

Testing your antivirus configuration

You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.

To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.

Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).

If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.

Example Scenarios

The following examples provide a sample antivirus configuration scenarios.

Configuring simple default antivirus profile

The Antivirus function is so straight forward and widely used that many users just create one default profile and use that on all of the applicable firewall policies. If performance is not a real concern and the unit’s resources are not being stretched, it is perfectly reasonable to create one profile that covers the range of uses found in your environment. This example is one possible default configuration.

Context:

This is an edited default profile and will be used on all security policies
It will need to scan for malware on all available protocols.
Malware, botnets, and grayware should be blocked
The inspection method should be flow-based
A current FortiCloud account is available

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name default

Comments Scans all traffic from Internet for malware

Inspection Mode Flow-based

Detect Virus Block

Send Files to FortiSandbox for Inspection checked

Suspicious Files Only checked

Detect Connections to Bot- net C&C Servers checked

Block checked

2. Check the appropriate protocols:

Protocol Virus Scan and Block

HTTP checked

SMTP checked

POP3 checked

IMAP checked

MAPI checked

FTP checked

NNTP checked

3. Select Apply.

4. Enable grayware scanning

config antivirus settings set grayware enable

end

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

SSH through a terminal emulator
CLI Console widget
FortiExplorer’s CLI mode

2. Enter the following commands:

config antivirus profile edit default

set comment “scan and delete virus” set inspection-mode flow-based

set scan-botnet-connections block set ftgd-analytics suspicious config http

set options scan end

config ftp

set options scan end

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

config nntp

set options scan end

config smb

set options scan end

end

3. Enable grayware scanning

config antivirus settings set grayware enable

end

Setting up a basic proxy-based Antivirus profile for email traffic

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office.

Context:

The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.
There is a specific firewall security profile that handles the email traffic from the Internet to the mail server. The only traffic on this policy will be POP3 and IMAP and SMTP
The company policy is to block viruses and connections to botnets.
The FortiGate unit is a small model and the Internet bandwidth is limited so the policy is to not submit files to the FortiSandbox.

Creating the profile – GUI

1. In the following fields, enter the indicated values or selections:

Name email-av

Comments Scans email traffic from Internet for malware

Inspection Mode Proxy

Detect Virus Block

Send Files to FortiSandbox for Inspection checked

Suspicious Files Only checked

Detect Connections to Bot- net C&C Servers checked

Block checked

2. Check the appropriate protocols:

Protocol Virus Scan and Block

HTTP checked

SMTP checked

POP3 checked

IMAP checked

MAPI checked

FTP checked

NNTP checked

3. Select Apply.

Creating the profile – CLI

1. Enter the CLI by one of the following methods:

SSH through a terminal emulator
CLI Console widget
FortiExplorer’s CLI mode

2. Enter the following commands:

Config antivirus profile edit “email-av”

set comment “Scans email traffic from Internet for malware” set inspection-mode proxy

config imap

set options scan end

config pop3

set options scan end

config smtp

set options scan end

end

Adding the profile to a policy

In this scenario the following assumptions will be made:

The policy that the profile is going to be added to is an IPv4 policy.
The ID number of the policy is 11.
The Antivirus profile being added will be the “default” profile
The SSL/SSH Inspection profile used will be the “default” profile

FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

Adding the profile – GUI

1. Go to Policy & Objects > IPv4 Policy.

2. Use your preferred method of finding a policy.

If the ID column is available you can use that.
You can also choose based on your knowledge of the parameters of the policy
Select the policy with ID value of 11

3. In the Edit Policy window, go to the Security Profiles section

4. Turn ON AntiVirus, and in the drop down menu for the field, select default

5. If the AntiVirus profile is proxy-based the Proxy Options field and drop down menu will be revealed.

6. The SSL/SSH Inspection field will automatically be set to ON and one of the profiles will need to be selected from the drop down menu. In this case default is selected.

7. The log options will depend on your requirements and resources but to verify that everything is working properly, it is a good idea to turn ON logging of All Sessions after setting up a new profile and after giving some time for logs to accumulate

8. Turn on Antivirus.

9. Select an antivirus profile.

10. Select OK to save the security policy.

Adding the profile – CLI

To select the antivirus profile in a security policy — CLI

config firewall policy edit 11

set utm-status enable

set profile-protocol-options default set av-profile basic_antivirus

end

Block files larger than 8 MB

Set proxy options profile to block files larger than 8 MB

1. Go to Security Profiles > Proxy Options.

2. Edit the default or select Create New to add a new one.

3. Scroll down to the common Options Section and place a check in the box next to BlockOversized File/Email

4. The sub line Threshold (MB) will appear with a value field. Enter 8.

5. Select OK or Apply.

The proxy options profile is configured, but to block files, you must select it in the firewall policies handling the traffic that contains the files you want blocked.

To select the Proxy Options profile in a security policy

1. Go to Policy & Objects > IPv4 Policy (or IPv6 Policy, depending).

2. Edit or create a security policy.

3. Select a proxy-based security profile. You will know that there is a proxy component to the Security Profile because when a Security Profile is Proxy based the Proxy Options field will be visible (for example, select an Antivirus profile that includes proxy scanning).

4. Beside Proxy Options select the name of the MTU proxy options protocol.

5. Select OK to save the security policy.

6. Once you complete these steps, any files in the traffic subject to Security Profile scanning handled by this policy that are larger than 8MB will be blocked. If you have multiple firewall policies, examine each to determine if you want to apply similar file blocking the them as well.