1

2013 Fortinet Inc. All rights reserved.

The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D
FortiGate Multi-Threat Security
Systems I
Module 9: Web Filtering
2
Module Objectives
By the end of this module participants will be able to:
Identify the web filtering mechanisms used on the FortiGate device
Create web content and URL filters
Configure FortiGuard Web Filtering
Configure FortiGuard Web Filtering exemptions and rating overrides
Define firewall policies using web filter profiles
Explain the differences between various web filter modes

3
Web Filtering





Means of controlling the web content that a user is able to view
Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material





4
Proxy-Based Web Filtering
Proxy based solution that communicates between client and server
Inspects full URL
Allows for customizable block pages to display when sites are
prevented
Most resource intensive option
Lowest throughput
Has the Most options available in Advanced section
5
Proxy-Based Web Filtering
Select inspection mode
in web filter profile
6
Flow-Based Web Filtering
Non-proxy solution that uses IPS engine to perform inspection
High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled
Only a few Advanced options available
Not as flexible as proxy-based
Allow, Monitor, Block ONLY
Warn and Authenticate not possible
Overrides not possible

7
Flow-Based Web Filtering
Select inspection mode in web filter profile
8
DNS-Based Web Filtering
DNS-proxy solution that uses DNS queries to decide access
DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP means no DNS lookup
9
DNS-Based Web Filtering
Select inspection mode in web filter profile
10
When Does Filtering Activate?
www.acme.com
DNS Request
DNS Response
!
HTTP GET
!
HTTP 200
TCP 3-Way Handshake
11
HTTP Inspection Order
Virus Scan
Advanced
Filter
Content
Filter
FortiGuard
Filter
Web URL
Filter
Block Page
EXEMPT (from ALL further inspection)
Block Page
Block Page
Block Page
Block Page Display Page
URL
Exempt
Block
Allow
Block
Allow
Allow
Block
Block
Block
Allow
Allow
12
Types of Web Filtering
Proxy-Based
Highly secure
Traffic is cached
Flow-Based
High throughput
No caching
Not as secure
DNS-Based
Very lightweight
Hostname filtering only
No advanced options, URL and FortiGuard only




13
Web Content Filtering
Create Pattern list in
the CLI
Drugs
Score=10

Pharmacy
Score=5

Prescription
Score=5
Threshold=18
10 +5 +5 =20
Block or Exempt
www.acme.com
Allow or block web pages
containing specific words or
patterns
Wildcards or regular
expressions used to
define patterns
Scores for matched patterns
are added
If greater than threshold,
FortiGate unit performs
configured action
If pattern appears
multiple times on web
page, score is only
counted once




14
Web URL Filtering
Control web access by allowing or blocking URLs
Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check
Possible web URL filter actions are:
Allow
Block
Monitor
Exempt





15
URL: www.mypage.com/index.html
www.example.com

www.abc.com

www.mypage.com/index.html
Web URL Filtering
URL Filter list
www.mypage.com
Block
Allow
Monitor
Exempt
16
Forcing Safe Search
Safe Search is used by search sites to prevent explicit web sites and
images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
Supported for Google, Bing, Yahoo! And Yandex
Does NOT force strict safe search
Youtube EDU available
Instructions for Youtube will include value to enter on FortiGate unit




17
FortiGuard Category Filter
URL: www.mypage.com
Block
Allow
Monitor
Authenticate
Categories
Warning
www.mypage.com
18
FortiGuard Category Filter
The FortiGate unit accesses the FortiGuard Distribution Server to
determine the category of a requested page
Action is taken based on selection in web filtering profile
Web filter rating determined by:
Human rater
Text analysis
Exploitation of web structure

Description of Categories can be found on FortiGuard website
http://www.fortiguard.com/static/webfiltering.html


19
FortiGuard Category Filter
Split into multiple categories and sub-categories
Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with
updated firmware
Older firmware has new values mapped to existing categories

20
FortiGuard Caching
Most web sites are visited over and over again
FortiGate unit can remember what the response was
Caching improves performance by reducing FortiGate unit requests to
FortiGuard servers
Cache checked before sending request to FortiGuard server
TTL settings controls the number of seconds query results are cached
Small amount of FortiGate unit system memory dedicated to the cache
Default is 2% used for cache, can be increased to 15% from CLI
Port 53 used for FortiGuard communications
Alternate port number of 8888 can used

KB Article IDs: 11779, FD32121, FD30088

21
FortiGuard Usage Quotas
Category:
Games
Games Quota
Games Quota
Games Quota
Category:
Games
Category:
Games
Category:
Games
Category:
Games
Quotas allow access to specific categories for a
specific length of time (calculated separately for
each quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Can only apply to categories with actions: Monitor,
Warn or Authenticate
22
Rating Submissions
Requests for rating of a web site, or to have a web sites rating
re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php
23
Rating Override
www.acme.com
Category:
General Organizations
Sub-Category: Information and Computer Security
Rating override
24
Rating Override
Can override the rating applied to a hostname by FortiGuard
Subscription Services
Hostname reassigned to a completely different category and uses that action
Override applies to FortiGate unit only
Changes not submitted to FortiGuard Subscription Services
Hostnames only
google.com
www.google.com
www.google.com/index.html

25
Rename and deletion of sub-categories only in CLI
config webfilter ftgd-local-cat
delete <cat_name>
rename <cat_name> to <cat_name>

Local Categories
26
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page

27
Authenticate Action
www.hackthissite.org
Marketing
28
Web Filter Profiles


Web filtering,
FortiGuard web filtering
and Advanced Filter
options enabled
through web filtering
profiles

Profile in turn applied to
firewall policy
Any traffic being
examined by the
policy will have the
web filtering
operations applied
to it
29
Labs
Lab 1: Web Filtering
Ex 1: FortiGuard Web Filtering
30
Classroom Lab Topology