The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 9: Web Filtering 2 Module Objectives By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device Create web content and URL filters Configure FortiGuard Web Filtering Configure FortiGuard Web Filtering exemptions and rating overrides Define firewall policies using web filter profiles Explain the differences between various web filter modes
3 Web Filtering
Means of controlling the web content that a user is able to view Preserve employee productivity Prevent network congestion where valuable bandwidth is used for non-business purposes Prevent loss or exposure of confidential information Decrease exposure to web-based threats Limit legal liability when employees access or download inappropriate or offensive material Prevent copyright infringement caused by employees downloading or distributing copyrighted materials Prevent children from viewing inappropriate material
4 Proxy-Based Web Filtering Proxy based solution that communicates between client and server Inspects full URL Allows for customizable block pages to display when sites are prevented Most resource intensive option Lowest throughput Has the Most options available in Advanced section 5 Proxy-Based Web Filtering Select inspection mode in web filter profile 6 Flow-Based Web Filtering Non-proxy solution that uses IPS engine to perform inspection High throughput Inspects full URL FortiGuard Web Filtering override will not apply when flow-based inspection is enabled Only a few Advanced options available Not as flexible as proxy-based Allow, Monitor, Block ONLY Warn and Authenticate not possible Overrides not possible
7 Flow-Based Web Filtering Select inspection mode in web filter profile 8 DNS-Based Web Filtering DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server Very lightweight SSL inspection never required Cannot inspect URL, only hostname (DNS) Supports URL Filtering and FortiGuard Category only No individual block pages, can redirect to a portal Web site access by IP means no DNS lookup 9 DNS-Based Web Filtering Select inspection mode in web filter profile 10 When Does Filtering Activate? www.acme.com DNS Request DNS Response ! HTTP GET ! HTTP 200 TCP 3-Way Handshake 11 HTTP Inspection Order Virus Scan Advanced Filter Content Filter FortiGuard Filter Web URL Filter Block Page EXEMPT (from ALL further inspection) Block Page Block Page Block Page Block Page Display Page URL Exempt Block Allow Block Allow Allow Block Block Block Allow Allow 12 Types of Web Filtering Proxy-Based Highly secure Traffic is cached Flow-Based High throughput No caching Not as secure DNS-Based Very lightweight Hostname filtering only No advanced options, URL and FortiGuard only
13 Web Content Filtering Create Pattern list in the CLI Drugs Score=10
Pharmacy Score=5
Prescription Score=5 Threshold=18 10 +5 +5 =20 Block or Exempt www.acme.com Allow or block web pages containing specific words or patterns Wildcards or regular expressions used to define patterns Scores for matched patterns are added If greater than threshold, FortiGate unit performs configured action If pattern appears multiple times on web page, score is only counted once
14 Web URL Filtering Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns If no URL match on list, go on to next enabled check Possible web URL filter actions are: Allow Block Monitor Exempt
15 URL: www.mypage.com/index.html www.example.com
www.abc.com
www.mypage.com/index.html Web URL Filtering URL Filter list www.mypage.com Block Allow Monitor Exempt 16 Forcing Safe Search Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results FortiGate unit rewrites the search URL to include the required codes to enable Safe Search Supported for Google, Bing, Yahoo! And Yandex Does NOT force strict safe search Youtube EDU available Instructions for Youtube will include value to enter on FortiGate unit
17 FortiGuard Category Filter URL: www.mypage.com Block Allow Monitor Authenticate Categories Warning www.mypage.com 18 FortiGuard Category Filter The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page Action is taken based on selection in web filtering profile Web filter rating determined by: Human rater Text analysis Exploitation of web structure
Description of Categories can be found on FortiGuard website http://www.fortiguard.com/static/webfiltering.html
19 FortiGuard Category Filter Split into multiple categories and sub-categories Layout will switch periodically as the Internet changes New categories and sub-categories are released and compatible with updated firmware Older firmware has new values mapped to existing categories
20 FortiGuard Caching Most web sites are visited over and over again FortiGate unit can remember what the response was Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached Small amount of FortiGate unit system memory dedicated to the cache Default is 2% used for cache, can be increased to 15% from CLI Port 53 used for FortiGuard communications Alternate port number of 8888 can used
KB Article IDs: 11779, FD32121, FD30088
21 FortiGuard Usage Quotas Category: Games Games Quota Games Quota Games Quota Category: Games Category: Games Category: Games Category: Games Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) If authentication is enabled, quota is automatically based on the user, otherwise IP is used Can only apply to categories with actions: Monitor, Warn or Authenticate 22 Rating Submissions Requests for rating of a web site, or to have a web sites rating re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php 23 Rating Override www.acme.com Category: General Organizations Sub-Category: Information and Computer Security Rating override 24 Rating Override Can override the rating applied to a hostname by FortiGuard Subscription Services Hostname reassigned to a completely different category and uses that action Override applies to FortiGate unit only Changes not submitted to FortiGuard Subscription Services Hostnames only google.com www.google.com www.google.com/index.html
25 Rename and deletion of sub-categories only in CLI config webfilter ftgd-local-cat delete <cat_name> rename <cat_name> to <cat_name>
Local Categories 26 Warning Action Action = Warning (right click in the GUI) Web Filtering Warning Page
27 Authenticate Action www.hackthissite.org Marketing 28 Web Filter Profiles
Web filtering, FortiGuard web filtering and Advanced Filter options enabled through web filtering profiles
Profile in turn applied to firewall policy Any traffic being examined by the policy will have the web filtering operations applied to it 29 Labs Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering 30 Classroom Lab Topology