
To get the most out of your FortiGate web content filter, it's essential to configure it correctly. This means setting up the filter to block access to unwanted websites and content.
A well-configured web content filter requires a thorough understanding of the FortiGate's capabilities and limitations. For instance, the FortiGate can filter based on categories, keywords, and URLs, but it's also important to consider the impact on user experience.
Start by identifying the types of content you want to block, such as social media or adult websites. You can then create a custom filter to block access to these types of content.
Remember to also configure the filter to allow access to necessary websites, such as educational resources or business tools.
A fresh viewpoint: Seo Content Websites
Configuring Web Content Filter
You can block specific URLs by adding them to the blocklist, or use wildcards to block all content from a specific domain or only specific pages from a domain.
To block a URL like Facebook, simply add "facebook.com" to the blocklist. URL filtering also supports wildcards, so you can block all content from a specific domain or only specific pages from a domain.
You can also filter content based on category, using FortiGate's extensive list of websites categorized by their offerings. For example, Facebook is categorized as a telephony website, so you can block all social media or telephony websites in your rules.
Here are the steps to configure web filtering categories:
- Enable Category Filtering under FortiGuard Categories.
- Select categories to block (e.g., Malware, Phishing, Adult Content, Social Media).
- Choose the action for each category (Block, Monitor, Warning, Allow).
By following these steps, you can effectively configure web filtering categories to protect your network from malicious content.
Configuring via GUI
To start configuring your web content filter via the FortiGate GUI, navigate to the Static URL Filter section. From there, you can create a new filter by clicking on Create New and entering the URL or wildcard, such as *.example.com.
You can set the action for the filter to Allow, Block, or Monitor. Once you've made your selections, click OK to save the changes.
To block specific categories of content, such as malware or phishing, go to the FortiGuard Categories section. Here, you can enable Category Filtering and select the categories you want to block.
You can choose the action for each category, such as Block, Monitor, Warning, or Allow. This will help you tailor your web content filter to meet your organization's specific needs.
To apply the web filter to a firewall policy, go to Policy & Objects > Firewall Policy and select an existing policy or create a new one. Under Security Profiles, enable Web Filter and select the configured profile.
This will ensure that your web content filter is applied to the correct policy and will help you block or monitor the types of content you've specified.
Configure Categories
Configuring categories is a crucial step in setting up your web content filter. To do this, you'll want to enable Category Filtering under FortiGuard Categories. You can then select categories to block, such as Malware, Phishing, Adult Content, and Social Media.
Choose the action for each category, like Block, Monitor, Warning, or Allow. For instance, you might block Malware and Phishing, while monitoring Adult Content.
To apply the web filter to a firewall policy, go to Policy & Objects > Firewall Policy, select an existing policy or create a new one, and under Security Profiles, enable Web Filter and select the configured profile. This will ensure that your web content filter is applied to the correct policy.
Here's a summary of the actions you can take for each category:
Remember, you can always override a specific website to a different Fortiguard category or to the Local/Custom category, allowing you to change what happens when a user tries to access it.
Filtering Options
You can block specific URLs on a FortiGate firewall by adding them to the blocklist, a process known as blocklisting. This can be done by adding "facebook.com" to the blocklist to block the Facebook website.
URL filtering also supports wildcards, allowing you to block all content from a specific domain or only specific pages from a domain. For instance, you can block all content from "sky.com" by adding a wildcard to the blocklist.
Another option is to block content based on category. FortiGate has an extensive list of websites that are categorized based on their offerings. Administrators can block all social media or telephony websites in their rules.
You can also filter content based on content and applications using Next-Gen FortiGate firewalls, which use heuristics and AI to analyze traffic and block it based on specific criteria.
Here are some common filtering options available on a FortiGate firewall:
- Blocklisting and allowlisting URLs
- Blocking content based on category
- Filtering content based on content and applications
- Blocking specific URLs using wildcards
Additionally, you can block content based on category using a remote category filter, which allows you to point FortiGate to an external web server that contains a plain text file list of URLs to block or allow.
You can also configure proxy options, such as blocking POST actions, stripping cookies, and blocking ActiveX and Java applets.
To apply the web filter to a firewall policy, go to Policy & Objects > Firewall Policy, select an existing policy or create a new one, and enable the web filter with the configured profile.
Content Filtering
Content filtering is a powerful feature of FortiGate firewalls, allowing you to block specific URLs, domains, or categories of content.
You can block specific URLs by adding them to the blocklist, or use wildcards to block all content from a specific domain. For example, to block Facebook, you can add "facebook.com" to the blocklist.
FortiGate also supports filtering content based on category, with an extensive list of websites categorized based on their offerings. This allows you to block all social media or telephony websites in your rules.
Here's a list of some of the categories you can filter:
With content filtering, you can also block content based on keywords or phrases, as well as assign scores to each keyword to determine the level of blocking.
Static URL Filter
Static URL Filter is a straightforward way to control the content that flows through your FortiGate Firewall. You can block specific URLs, like "facebook.com", to prevent access to the entire website.
One of the original ways to block content online is through blocklisting and allowlisting URLs. This method is simple to implement and effective.
You can also use wildcards to block all content from a specific domain or only specific pages from a domain. For example, you can block all content from "facebook.com" or only block access to "facebook.com/login".
Here's a list of URL filtering options:
- Block specific URLs
- Block all content from a specific domain
- Block only specific pages from a domain
By blocking specific URLs, you can control the content that flows through your network and prevent access to unwanted websites.
Content Filtering
Content Filtering is a powerful tool that allows you to block specific websites or content based on their category. You can block social media websites like Facebook by adding "facebook.com" to the blocklist, or block all social media websites by categorizing them as telephony websites.
The FortiGate Next-Gen Firewall uses heuristics and AI to analyze traffic and block it based on specific criteria. This allows for more advanced filtering options, such as blocking content based on category. FortiGate has an extensive list of websites that are categorized based on their offerings, including social media, telephony, and adult content.
To filter content based on category, you can use the FortiGuard Category based Web filtering feature. This feature queries the FortiGuard Distribution Network (FDN) to categorize websites by domain names and IP addresses. You can also use the Web Rating Overrides feature to check the category of a domain.
Here's a list of some of the categories that can be filtered:
- Abortion
- Advocacy Organizations
- Alcohol
- Alternative Beliefs
- Dating
- Gambling
- Lingerie and Swimsuit
- Marijuana
- Nudity and Risque
- Other Adult Materials
- Pornography
- Sex Education
- Sports Hunting and War Games
- Tobacco
- Weapons (Sales)
You can block or allow connections to these categories based on your organization's policies. You can also use the Web Filter Content feature to block specific keywords or phrases on a web page.
The Web Filter Content feature uses the Deep SSL Inspection profile to check the contents of a web page. You can assign a score to each keyword or phrase, and the feature will block the page if the total score reaches a certain threshold. You can also use wildcards and regular expressions to match keywords and phrases.
For example, you can block pages with the keywords "cisco" and "palo alto" by using the Web Filter Content feature. You can also use the banned words threshold to block pages with multiple keywords.
Note that the Web Filter Content feature requires the Security Policy to be in Proxy mode, not Flow.
For your interest: Create Web Page Design
Filter Verification and Testing
To verify and test your Fortigate web content filter, start by checking the Fortiguard license status and settings. Ensure the license is active and there's no configuration that turns off the web filtering service.
Verify the category cache by running the command `diag webfilter fortiguard cache dump`. If the cache is outdated, clear it with `dia test app urlfilter 2`.
You can also test web filtering by trying to access a blocked website from a client device. Make sure the site is either blocked or redirected based on your configured policy.
Here are the steps to verify web filtering logs:
- Navigate to Log & Report > Forward Traffic.
- Filter logs by Web Filter to check blocked sites.
Category Cache Verification
Category Cache Verification is a crucial step in ensuring your FortiGate Firewall is accurately filtering websites. You can verify what category a given visited domain got by running the command diag webfilter fortiguard cache dump.
The output will show the category in hex, which you can then translate to decimal by comparing it with the built-in categories of the Fortigate using the command get webfilter categories | grep n.
For example, if you visit espn.com, the hex category is 2e, which translates to 46 in decimal. This means the website is categorized under the built-in category of 46.
Most IP addresses do not get their rating due to the option "Rate URLs by domain and IP Address" being disabled. However, well-known Google DNS does get its rating.
To check which category a website belongs to, you can also use the FortiGate Web Filter Lookup tool. Simply enter the URL of the domain in question, select the Fortinet OS version, and perform the search.
Here are the steps to follow:
- Run the command diag webfilter fortiguard cache dump.
- Translate the hex category to decimal using the command get webfilter categories | grep n.
- Compare the decimal category with the built-in categories of the Fortigate.
Testing and Monitoring
To test Web Filtering, try accessing a blocked website from a client device. Ensure the site is either blocked or redirected based on the configured policy.
First, verify that the Fortigate has the Web Filtering license active by checking the FortiGuard license in the GUI under System → Fortiguard.
You can also use the command `diag autoupdate versions` to see the latest update date and versions of all downloadable databases on Fortigate.
Consider reading: Azure Openai Content Filtering
The Fortigate uses two hosts for live queries to Fortiguard: `service.fortiguard.net` and `globalguardservice.fortinet.net`.
To see the whole list of Categories with their respective numbers, run `get webfilter categories`.
You can also filter logs by Web Filter to check blocked sites by navigating to Log & Report > Forward Traffic.
To clear the cache and update the Category cache, use `dia test app urlfilter 2`.
Filter Management
Filter management is a crucial aspect of a FortiGate web content filter. You can block specific URLs by adding them to the blocklist, for example, "facebook.com" to block the Facebook website.
Blocklisting and allowlisting URLs are two original ways to block content online. This method allows you to specify exactly what content you want to block or allow.
You can also use wildcards to block all content from a specific domain or only specific pages from a domain. This feature gives you more flexibility in managing your filter rules.
FortiGate Next-Gen firewalls use heuristics and AI to analyze traffic and block it based on specific criteria. This advanced technology enables more effective content filtering.
Administrators can block content based on category, such as blocking all social media or telephony websites. FortiGate has an extensive list of websites categorized based on their offerings.
Customization and Overrides
You can allow users to override the Web Filter profile by creating a replacement profile that allows more categories, such as Social Networks and News & Media. This can be done by creating a new Web Filter profile, in this case "OverrideAllowAll", which allows these categories.
To enable user override, you'll need to set the replacement Web Filter profile in the main Web Filter profile, "WebProfile", which blocks these categories. You'll also need to specify the user group that can authenticate and access the replacement profile.
The override duration can be set, for example, to 5 minutes, after which the user will be blocked again and can authenticate to access the replacement profile. This way, users can temporarily override the Web Filter profile to access more categories.
Here are the steps to configure user override:
- Create a new Web Filter profile that allows more categories
- Set the replacement profile in the main Web Filter profile
- Specify the user group that can authenticate
- Set the override duration
Note that all blocked categories will be overridden by the new profile, and you can't specify which category to override.
Custom Local Categories
Custom Local Categories allow you to override a specific website to another FortiGuard category or to the Local/Custom category, changing what happens when a user tries to access it.
You can reassign a website to a Local/Custom category in Security Profiles → Web Rating Overrides. For example, you can reassign www.tripadvisor.com from Travel to the Local custom1 category.
To block a website on a custom category, change the Action to Block in the actual Web Filter for that category. This is different from the action set for the category it was originally assigned to, which might be Allow.
The CLI configuration for blocking a website on a custom category is not explicitly stated in the article, but it's implied that you need to configure the block message the end user will see, which includes codes like 7 - block mature content and 134 - block both unrated and mature content.
See what others are reading: Local Seo Content

You can check which category a website belongs to using FortiGate's Web Filter Lookup tool. Simply enter the URL of the domain in question, select your Fortinet OS version, and perform your search.
Here's a step-by-step guide to creating a custom local category:
- Reassign a website to a Local/Custom category in Security Profiles → Web Rating Overrides.
- Change the Action to Block in the actual Web Filter for that category.
Remember, you can also use the CLI to configure the block message, but the specific configuration steps are not provided in the article.
Allow User Override
Allow User Override is a feature that lets you create a new Web Filter profile that allows more categories than the main one, like "OverrideAllowAll" that includes Social Networks and News & Media.
This feature is particularly useful for users in a specific user group who need more flexibility. I created a new Web Filter profile called "OverrideAllowAll" that allows more categories than the main one.
You can set up the main Web Filter profile to block certain categories, and then set up the override feature to allow users to switch to the new profile after authenticating. The replacement Web Filter profile for authenticated users is set to "OverrideAllowAll" in this case.

The override duration can be set to a specific time, like 5 minutes, after which the user will be blocked again. This means users can only access the allowed categories for a limited time.
To configure the override feature, you need to specify the user group that will be allowed to authenticate and switch to the new profile. You can choose a local or remote user group, such as one connected to LDAP or RADIUS.
The Web Filter profile that blocks access will still be in place, but users will have the option to override it and access the allowed categories. This is useful for users who need to access specific websites for work or other reasons.
Note that you can't specify which category to override - all blocked categories will be overridden by the new profile. This means users will have access to all the allowed categories in the new profile.
Remote Filtering
To implement remote filtering with Fortigate, you'll need to create an External Connector of type Fortiguard Category. This connector allows you to point Fortigate to an external web server that contains a plain text file list of URLs to block, allow, or exempt.
First, create a text file with URLs and host it on an external web server. The file should have three types of entries: complete URLs, wildcards (no regex is supported), and exact matches. For example, the file might look like this:
1. Complete URL (e.g., https://example.com)
2. Wildcard (e.g., *.sky.com)
3. Exact match (e.g., example.com)
Next, create an External Connector of type Fortiguard Category and set the URL to access the external feed. You can also add optional authentication and set the refresh rate of data from the remote server (default is 5 minutes). Once configured, the status will change to green - Connected, and you can click on "View" to see the URLs read from the remote server and their status.
Readers also liked: Html Meta Http-equiv Content-type Content Text Html Charset Utf-8
The category "Remote" will appear in all existing and future Web Filter Profiles (by default in status Disabled) with the external feed you just configured. Make sure to change the Action to Block/Monitor/etc. to apply the remote filtering rules.
Here's a quick checklist to ensure you've completed the remote filtering setup:
- Create a text file with URLs and host it on an external web server
- Create an External Connector of type Fortiguard Category
- Set the URL to access the external feed
- Add optional authentication and set the refresh rate
- Change the Action to Block/Monitor/etc. in the Web Filter Profile
Debug and Verification
Debugging and verifying your Fortigate web content filter is a crucial step to ensure it's working correctly.
First, you need to check that the Fortigate has the Web Filtering license active. This can be done by running the command "dia deb rating" in the CLI.
Make sure under config sys fortiguard there is no set webfilter-force-off enable, which turns off the FortiGuard web filtering service.
The valid license should look like this in the GUI: System → Fortiguard.
To see the latest update date and versions of all downloadable databases on Fortigate, run "diag autoupdate versions".
You can also force Fortigate to download updates by executing "update-now".
To debug auto updates, you'll need to run "diagnose debug application update -1", "dia deb enable", and "exe update-now".
Verify that the name resolving on the Fortigate works by checking if it can resolve the hosts "service.fortiguard.net" and "globalguardservice.fortinet.net".
If you're having issues with Fortiguard Category filtering, you can check the cache with "diag webfilter fortiguard cache dump".
If the cache is not up-to-date, use "dia test app urlfilter 2" to clear it without any downtime.
You can see the whole list of Categories with their respective numbers by running "get webfilter categories".
For Web Filter logs, you can check under Events → Security Events → Web Filter menu or run "exe log filter category 3" and "exe log display" in the CLI.
Finally, the most verbose Web Filtering debug is "dia deb app urlfilter -1".
Curious to learn more? Check out: Web Dev App
Best Practices and Configuration
To get the most out of your FortiGate web content filter, you need to configure it correctly. Enable Category Filtering under FortiGuard Categories to start blocking unwanted content.
To block specific categories, select the ones you want to block, such as Malware, Phishing, Adult Content, and Social Media. You can then choose the action for each category, like Block, Monitor, Warning, or Allow.
Regularly updating the FortiGuard Database is crucial for up-to-date filtering. This ensures you're protected against the latest threats and malicious content.
Deep SSL inspection is essential for HTTPS filtering, allowing you to block encrypted malicious content. This is especially important for businesses that handle sensitive information.
User/group-based filtering provides better control over who can access certain websites or categories. This is achieved by applying filtering policies to specific users or groups.
Monitoring web filtering logs is vital to ensure your policy is effective. This helps you identify any issues or areas where you need to adjust your filtering settings.
By following these best practices and configuring your FortiGate web content filter correctly, you can create a safe and productive online environment for your users.
Pattern Matching
Pattern matching is a crucial aspect of FortiGate web content filtering. You can add web content patterns to your list, which is essential for effective filtering.
There are two types of patterns: wildcard and regular expression. Wildcard patterns are a great option for simple filtering needs.
The maximum number of web content patterns in a list is 5000, so you can create a comprehensive list without worrying about running out of space.
Block Invalid URLs
The Block Invalid URLs feature is a powerful tool in the FortiGate Web Content Filter. It blocks access to websites whose SSL/TLS certificate does not contain a valid domain.
This feature is usually enabled by default, so you might not even need to take any action to enable it. However, if you're not sure, you can check your settings to confirm.
Frequently Asked Questions
How do I allow a URL in FortiGate web filter?
To allow a URL in FortiGate web filter, navigate to Security Profiles > Web Filter, expand Static URL Filter, and enable URL Filter. Then, enter the URL without "https" and select Create.
What is the difference between a firewall and a content filter?
A firewall blocks unauthorized network access and controls data flow, while a content filter specifically blocks malicious content, spam, and phishing attempts. Together, they provide a robust defense against online threats.
Featured Images: pexels.com


