Web Filtering

Module Objectives

• By the end of this module participants will be able to:• Identify the web filtering mechanisms used on the

FortiGate device

• Create web content and URL filters

• Configure FortiGuard Web Filtering

• Configure FortiGuard Web filtering overrides

• Define firewall policies using web filter profiles

Web Filtering

•Means of controlling the web content that a user is able to view• Preserve employee productivity

• Prevent network congestion where valuable bandwidth is used for non-business purposes

• Prevent loss or exposure of confidential information

• Decrease exposure to web-based threats

• Limit legal liability when employees access or download inappropriate or offensive material

• Prevent copyright infringement caused by employees downloading or distributing copyrighted materials

• Prevent children from viewing inappropriate material

Web Content Filtering Create Pattern list in the CLI

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

Block or Exempt

www.acme.com

Web Content Filtering

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

Block or Exempt

www.acme.com

• Control web access by allowing or blocking web pages containing specific words or patterns• Wildcards or regular expressions can be

used to define patterns

• The scores assigned to matched patterns are added• If higher than the threshold, the FortiGate

unit performs the configured action

• Score for matched patterns is counted once even if it appears multiple times on the web page

Create Pattern list in the CLI

Flow-based Web Filtering

•Non-proxy solution that uses IPS engine to perform inspection• FortiGuard web filtering override will not apply when flow-based inspection is enabled• Example: • Block IT category and allow override for www.fortinet.com

• If user attempts to access www.fortinet.com (IT category), user will receive Page Not Found error

Flow-based Web Filtering

• Select inspection mode in web filter profile

• In the CLI:config webfilter profile

edit “default”

set flow-based enable

URL: www.mypage.com

www.example.com

www.abc.com

www.mypage.com

Web URL FilteringURL Filter list

www.mypage.com

BlockAllow

MonitorExempt

URL: www.mypage.com

www.example.com

www.abc.com

www.mypage.com

Web URL FilteringURL Filter list

www.mypage.com

BlockAllow

MonitorExempt

• Control web access by allowing or blocking specific URLs• Text, wildcards or regular expressions

can be used to define the URL patterns

• Possible actions include:• Block

• Allow

• Monitor

• Exempt

SafeSearch

Search: chicken

Search: chicken&safe=on

Safe Search:GoogleBingYahoo!

SafeSearch

Search: chicken

Search: chicken&safe=on

Safe Search:GoogleBingYahoo!

• SafeSearch is used by search sites to prevent explicit web sites and images from appearing in search results• FortiGate unit rewrites the search URL to include the required codes to enable SafeSearch• Supported on Google, Bing and Yahoo!

FortiGuard Web Filter

URL: www.mypage.com

Block

Allow

Monitor

Authenticate

Categories

Warning

www.mypage.com

FortiGuard Web Filter

URL: www.mypage.com Categories

www.mypage.com

Block

Allow

Monitor

Authenticate

Warning

• The FortiGate unit accesses the FortiGuard distribution server to determine the category of a requested page• Action is taken based on selection in

web filtering profile

•Web filter rating determined by:• Human rater

• Text analysis

• Exploitation of web structure

FortiGuard Web Filter Categories

Click here to read more FortiGuard Web Filtering categories

FortiGuard Web Filter Categories

Click here to read more FortiGuard Web Filtering categories

FortiGuard Web Filtering CachingCache

URL: Category www.acme.com Phishingwww.today.ca News/Media www.poker.net Gambling

www.xyz.com

FortiGuard Web Filtering CachingCache

URL: Category www.acme.com Phishingwww.today.ca News/Media www.poker.net Gambling

www.xyz.com

• Caching improves performance by reducing FortiGate unit requests to FortiGuard servers• Cache checked before sending request

to FortiGuard server

• TTL settings controls the number of second query results are cached

• Small amount of FortiGate unit system memory dedicated to the cache• Alternate port number of 8888 can be configured for access to FortiGuard servers

FortiGuard Web Filtering Usage Quotas

Category:Games“Games” Quota

“Games” Quota

“Games” Quota

Category:GamesCategory:GamesCategory:GamesCategory:Games

FortiGuard Web Filtering Usage Quotas

Category:Games“Games” Quota

“Games” Quota

“Games” Quota

Category:GamesCategory:GamesCategory:GamesCategory:Games

• Quotas allow access to specific categories for a specific length of time• Calculated separately for each user and

for each category

• User must authenticate

Local Ratings

www.acme.com

Category:General Organizations

Sub-Category: Information and Computer Security

Local ratings

Local Ratings

www.acme.com

Category:General Organizations

Sub-Category: Information and Computer Security

Local ratings

• Can override the rating applied to a URL by FortiGuard Subscription Services• URL reassigned to a completely

different category

•Override applies to FortiGate unit only• Changes not submitted to FortiGuard

Subscription Services

Local Categories

Create NewLocal Category

config webfilter ftgd-local-cat

edit "Research“

set id 145

next

end

Local Categories

Create NewLocal Category

config webfilter ftgd-local-cat

edit "Research“

set id 145

next

end

• Local categories allow logging of web traffic to a category created by an administrator• Appears under Local Categories section

in FortiGuard Categories listing

FortiGuard Web Filtering Overrides

Authenticate

Category:Spyware and Malware

Log

Block

www.acme.com

FortiGuard Web Filtering Overrides

Authenticate

Category:Spyware and Malware

Log

Block

www.acme.com

• Allows access to web sites blocked by FortiGuard Web Filtering• Two methods:• Warning• Allows user to proceed to

blocked web site• Authenticate• User must authenticate to

override web site block

Web Filtering Override Page

Action = Warning

Web Filtering Block Override Page

Web Filtering Override Page

Action = Authenticate

Web Filtering Block Override Page

Web Filtering Overrides

www.hackthissite.org

Marketing

Filter Override

Web Filtering Overrides

www.hackthissite.org

Marketing

• Allows access to web sites blocked through URL or web content filtering•Override page presented, user must authenticate

Order of Web Filtering

URL Filter

FortiGuard Web Filter

Web Content Filter

Advanced Filter Options

Web Filter Profiles

Web filter profile:

Firewall policy

Web Filter Profiles

Web filter profile:

Firewall policy

•Web filtering, FortiGuard web filtering and advanced filtering options enabled through web filtering profiles• Profile in turn applied to firewall policy• Any traffic being examined by the

policy will have the web filtering operations applied to it

Labs

• Lab - Web Filtering• Testing Web Category Filtering

• Configuring Web Filtering Warnings

• Configuring Web Filtering Quotas

Click here for step-by-step instructions on completing this lab

Student Resources

Click here to view the list of resources used in this module