
Fortinet Web Filter Configuration and Management is a crucial step in ensuring a secure and productive online experience for your organization. The Fortinet Web Filter can be configured to block access to malicious websites, thereby reducing the risk of malware and data breaches.
To start, you need to create a Web Filter profile, which is a set of rules that determine what websites are blocked or allowed. According to the Fortinet Web Filter Configuration section, this profile can be created using the FortiGate GUI or CLI.
The Web Filter profile can also be used to specify the types of websites that are blocked or allowed, such as social media, adult content, or online gaming. By doing so, you can ensure that employees are not accessing non-work-related websites during work hours.
The Fortinet Web Filter also allows you to create a schedule for when the Web Filter rules are applied, giving you more control over when and how the rules are enforced.
Here's an interesting read: Fortigate Content Filter
Configuring Fortinet Web Filter
Configuring Fortinet Web Filter is a crucial step in ensuring your network's security and productivity. You can configure web filtering on the FortiGate Firewall through the GUI or CLI.
To start, navigate to the Static URL Filter section and click Create New to add a new filter. Enter the URL or wildcard, set the action to Allow, Block, or Monitor, and click OK to save the changes.
You can also configure web filtering categories by enabling Category Filtering under FortiGuard Categories. Select the categories to block, such as Malware, Phishing, Adult Content, and Social Media, and choose the action for each category.
It's essential to enable web filtering on your FortiGate Firewall to protect your network from malicious content. You can do this by creating a new web filter profile and configuring filtering options.
To enable web filtering, log in to the FortiGate web interface, navigate to Security Profiles > Web Filter, and click Create New to add a new web filter profile. Name the profile and configure filtering options.
A unique perspective: Dropbox Filter
When configuring web filtering, you can choose from various actions, including Block, Allow, Monitor, Authenticate, and Warning. To change the contents of the Replacement Page, go to System > Replacement messages and edit the template.
You can also override or reassign specific websites to another FortiGuard category or to the Local/Custom category. This allows you to change what happens when a user tries to access a specific website.
Here are some common actions you can take when configuring web filtering:
By configuring web filtering on your FortiGate Firewall, you can protect your network from malicious content, limit employee access to non-work-related websites, and ensure that your network operates properly and securely.
Intriguing read: Content Protection Network
Understanding Web Filter
Web filtering is a crucial feature of Fortinet's web filter, allowing you to control and monitor internet activity on your network. It's a powerful tool that can help you block malicious websites, reduce distractions, and improve productivity.
To get started with web filtering, you'll need to configure your SSL profile, which determines whether to decrypt completely or just inspect the domain name in SSL certificates. You can choose from Certificate-only or Deep SSL Inspection, or even disable SSL inspection altogether.
For more insights, see: Email Filtering
The order of processing for web filtering is as follows: Static URL Filter, Fortiguard Category Filter, Web Content Filter, Advanced options filter, and AntiVirus Scanning. Understanding this order is key to fine-tuning your web filter settings.
Here are some common actions you can take when a user tries to access a restricted category:
- Block: the connection is blocked, and no further security processing is done.
- Allow: the connection is allowed from a web filtering point of view, but may still be blocked by other security profiles.
- Monitor: the connection is monitored, but not blocked.
- Authenticate: access is granted after the end user successfully authenticates to Fortigate.
- Warning: users see a web page warning them that they are entering restricted domains.
To configure web filtering categories, you'll need to enable Category Filtering under FortiGuard Categories, select categories to block, and choose the action for each category.
Key Facts
Web filtering in FortiGate is a powerful tool that can block access to malicious websites, improve productivity, and help organizations comply with industry regulations.
The main parts of Web Filtering in FortiGate include SSL Profile, FortiGuard Web Filtering service, Static URL Filter, and Web Content Filtering.
SSL Profile determines whether to decrypt completely SSL communication or just look at domain names in the SSL Certificates.
FortiGuard Web Filtering service enables filtering of websites/URLs by Category, requiring a Web Filter license.
For another approach, see: Golang Filter
Static URL Filter checks the URL of the website a user tries to enter.
Web Content Filtering looks inside the contents of a web page to find predefined "banned" words and makes decisions based on their existence and count.
Here are the key settings for the order of processing:
- Static URL Filter
- FortiGuard Category Filter (Local/custom Categories → Remote/external feed Category → FortiGuard Category)
- Web Content Filter
- Advanced options filter - proxy mode only (ActiveX, Java Applets etc.)
- AntiVirus Scanning
Web Filter-related databases on FortiGate are not updated by default, only after you create a 1st Web Filter Profile and use it in the security rule.
The benefits of FortiGate Web Filtering include security, productivity, compliance, and customizability.
To use FortiGuard Category based Web filtering, you need a valid Web Filtering license and to be able to connect to FortiGuard servers.
The order of preference for categories is Local → Remote/external feed → FortiGuard.
The action options for FortiGuard Category based Web filtering include Block, Allow, Monitor, Authenticate, and Warning.
Here are the key settings for Replacement Page:
- On trying to enter the website belonging to the restricted Category, the user will see a warning message.
- The warning message can be customized by editing the Replacement Page.
Dns
DNS is a lightweight inspection method that doesn't involve proxy-based or flow-based inspection, making it resource-friendly.
It takes advantage of the fact that a DNS request is typically the first part of any new session to a new website, and places the results of the categorization of websites right on the FortiGuard DNS servers.
The FortiGate resolves a URL, receiving both the IP address of the website and a domain rating from the FortiGuard DNS server.
This inspection method is based on the IP address, the domain name, and the rating provided by the FortiGuard DNS server, with fewer settings than other inspection methods.
DNS inspection uses the same categories as the FortiGuard Service, allowing for consistent categorization and filtering.
Additional reading: Fortinet Fortiguard
Customization Options
Customization Options can be achieved by overriding specific websites to another FortiGuard category or to the Local/Custom category. This allows you to change what happens when a user tries to access it.
You can reassign a website to another FortiGuard category or to the Local/Custom category in Security Profiles → Web Rating Overrides. For example, you can reassign www.tripadvisor.com from Travel to the Local custom1 category and then set the Action to Block on it.
The Action options for Web Filtering are Block, Allow, Monitor, Authenticate, and Warning. To change the contents of the Replacement Page, go to System → Replacement messages → click on Extended view → click on the needed template → Edit.
Here are the possible Actions for Web Filtering:
- Block - connection to the web site is blocked, no further security processing is done, the verdict is final.
- Allow - allow connection from Web Filtering point of view, the connection will still be checked by other security profiles/features if available - IPS/AppControl, etc and thus may be blocked later.
- Monitor - monitor (and log if logs are enabled in the security rule) but do NOT block the connection. Mostly useful to get detailed info on web sites users are visiting.
- Authenticate - access will be granted after the end user successfully authenticates to Fortigate.
- Warning - users will see a web page warning them that they are entering restricted domains, and if the user clicks on "Proceed" she will be redirected to the original web site.
Custom Categories & Ratings
Custom categories and ratings are a powerful feature in FortiGate, allowing you to tailor web filtering to your specific needs. You can override or reassign a specific website to a different FortiGuard category or to a Local/Custom category, which can change what happens when a user tries to access it.
To do this, you'll need to assign the website to the Local custom category in Security Profiles → Web Rating Overrides, and then change the Action to Block in the actual Web Filter for that category. This way, even if the "Travel" category is allowed, the specific website will be blocked on the "custom1" category.
A unique perspective: Html Local Storage

You can also use the CLI to configure web filtering, and set the action in the FortiGuard-based filter to Block. This can be done by using the following commands: `set action block` or `set action 7` for blocking mature content, or `set action 134` for blocking both unrated and mature content.
Here are the possible actions you can take when a website belongs to a restricted category:
- Block: connection to the website is blocked, no further security processing is done, and the verdict is final.
- Allow: allow connection from Web Filtering point of view, the connection will still be checked by other security profiles/features if available.
- Monitor: monitor (and log if logs are enabled in the security rule) but do not block the connection.
- Authenticate: access will be granted after the end user successfully authenticates to Fortigate.
- Warning: users will see a web page warning them that they are entering restricted domains, and if the user clicks on "Proceed" she will be redirected to the original website.
Rate by IP and Domain
The FortiGate (FGT) can ask Fortiguard for two ratings - one for the domain and another for the IP Address it resolves to. If the ratings differ, the FGT will use the one with the higher weight.
This option is not commonly used by admins, but it can be a useful customization.
The FGT will ask Fortiguard for two ratings if this option is enabled, which can lead to a more accurate categorization.
Category cache verification is related to this option, but it's not discussed in this context.
A fresh viewpoint: What Browesr Does Not save as Webp
Usage Quota

Usage Quota is a powerful feature that allows you to limit how much bandwidth or time an end user can consume from a specific category. This can be set to Warning, Authenticate, or Monitor, and the quota is calculated per user and for the whole category.
The usage counters reset automatically each midnight, so users will be blocked from the websites in the category only for the remainder of the day. If a user uses up her quota, she will see a message informing her that she has exceeded her limit.
In logs, we will see "UTM block" once the quota is reached, indicating that the user has been blocked from the category. This is not a bug, but a feature that allows users to continue browsing websites that are already connected, but blocks new connections to the same category.
To check if a website is SSL exempted, you can check the SSL/TLS certificate of the website in your browser. If it's the original certificate of the website, it's exempted, but if it's a Fortigate CA certificate, it's not. You can also check the Fortigate logs, where the action for such website will be "passthrough".
Intriguing read: See Html Code in Chrome
Here are the key points to remember about Usage Quota:
- Quota is calculated per user and for the whole category.
- Usage counters reset automatically each midnight.
- Users will see a message informing them that they have exceeded their limit.
- "UTM block" will be logged once the quota is reached.
- Websites that are already connected will not be blocked, but new connections will be blocked.
- SSL exempted websites will not be blocked, but their certificates will be checked.
Verification and Testing
To verify that your Fortinet Web Filter is working correctly, start by checking the Web Filtering license on your Fortigate device. This can be done by running the command `dia deb rating` and ensuring that the license is active.
Make sure that the Web Filtering service is not disabled under `config sys fortiguard`, specifically checking that `webfilter-force-off enable` is not set. In the GUI, navigate to `System → Fortiguard` to verify the license status.
You can also check the latest update date and versions of all downloadable databases on your Fortigate by running `diag autoupdate versions`. To force an update, execute `update-now`.
Here are the steps to verify name resolving on your Fortigate:
- Verify that the name resolving on the Fortigate works.
- For live queries to Fortiguard, Fortigate uses 2 hosts - service.fortiguard.net (without anycast) and globalguardservice.fortinet.net (with anycast).
To test Web Filtering, try accessing a blocked website from a client device. Ensure the site is either blocked or redirected based on the configured policy.
A different take: Blocked by Azure Waf
Category Cache Verification
You can verify the category of a visited domain by checking the Category cache on your Fortigate device. This is done by running the command "diag webfilter fortiguard cache dump".
The output will show you the category in hex format, which you can then translate to decimal. For example, the hex code "2e" corresponds to the decimal number "46".
Most IP addresses don't get a category rating, but the Google DNS does, and this is because the option "Rate URLs by domain and IP Address" is disabled by default.
Discover more: Search Engine Cache
Verify Logs
To verify logs, start by navigating to Log & Report > Forward Traffic. Filtering logs by Web Filter is essential to check blocked sites.
You can also use the CLI to view web filter logs by running exe log filter category 3 and exe log display. This will show you the detailed logs of blocked sites.
To see a list of categories with their respective numbers, run get webfilter categories. This will give you an idea of how the web filter categorizes websites.
Here's a quick reference table to help you verify logs:
Remember to check the logs regularly to ensure that your web filter is working correctly and blocking sites as intended.
Access Control
Access Control is a crucial aspect of maintaining a secure and productive online environment.
Implementing a well-written usage policy is a fundamental step in controlling web access. This policy should outline proper Internet, email, and computer conduct for all users.
Monitoring tools can record and report on Internet usage, providing valuable insights into user behavior.
Policy-based tools can capture, rate, and block URLs, helping to prevent access to malicious or unproductive websites.
Common web access control mechanisms include:
- Establishing and implementing a well-written usage policy
- Installing monitoring tools that record and report on Internet usage
- Implementing policy-based tools that capture, rate, and block URLs
Technical Details
Fortinet Web Filter uses a cloud-based approach to block malicious websites and protect users from online threats. It's a highly effective solution that can be easily integrated into your existing network infrastructure.
The Fortinet Web Filter uses a combination of signature-based and behavioral-based detection to identify and block malicious websites. This approach ensures that even the most sophisticated threats are caught and prevented.
Fortinet Web Filter is highly customizable, allowing administrators to tailor the filtering to meet specific organizational needs. You can block or allow access to specific websites, categories, or even individual URLs.
The Fortinet Web Filter can be managed through a single, intuitive interface, making it easy to monitor and control web traffic across your organization. This interface provides real-time visibility into web activity and allows for swift action to be taken if a security issue arises.
GUI Configuration
To configure FortiGate web filtering via the GUI, you'll want to start by navigating to the Static URL Filter section. This is where you can create custom filters to block or allow specific websites.
To create a new filter, click the "Create New" button and enter the URL or wildcard you want to filter, such as *.example.com. You can also choose to block, allow, or monitor the website.
Once you've set the action, click "OK" to save the changes. This will allow you to create multiple filters for different websites and control internet access on your network.
A unique perspective: How to Make a Website Hosting Server
Proxy
Proxy-based inspection is a more thorough method of analyzing data, allowing for a more accurate analysis of traffic.
This is because it involves buffering the traffic and examining it as a whole before determining an action, which gives it access to more points of data to analyze.
As a result, proxy-based inspection can lead to fewer false positive or negative results in the analysis of the data.
Here's an interesting read: Smiley-http-proxy-servlet Proxy Websocket
Configuring via GUI
Configuring via GUI is a straightforward process that requires just a few clicks. You can start by navigating to the Static URL Filter section.
To create a new filter, click the Create New button and enter the URL or wildcard you want to filter. For example, you can enter *.example.com to block or allow all subdomains of example.com.
Next, set the action you want to take on the filtered URLs. You have three options: Allow, Block, or Monitor.
Here's a summary of the steps:
- Navigate to the Static URL Filter section.
- Click Create New and enter the URL or wildcard.
- Set the action (Allow, Block, or Monitor).
- Click OK to save the changes.
Return

Returning to the default configuration is a straightforward process. Simply reset the settings to their original state by clicking the "Reset" button in the GUI configuration panel.
The reset button is usually located at the bottom of the panel, and it's easily identifiable by its distinctive icon. It's a good idea to make a note of the current settings before resetting, just in case you need to revert back to them later.
In some cases, you may want to save your current configuration instead of resetting it. To do this, click the "Save" button, which is often located next to the "Reset" button.
See what others are reading: Web Camera Settings
Frequently Asked Questions
What is the difference between web filter and DNS filter in FortiGate?
Web filter blocks specific websites or content, while DNS filter blocks entire domains by analyzing DNS entries before a connection is established, providing more comprehensive control over internet access
Featured Images: pexels.com


