Technical Tip: Explanation of the Allow, Block, Exempt, and Monitor static URL filter actions
Description
This article describes the Allow, Block, Exempt, and Monitor static URL filter actions and what their functions are.
Scope
FortiGate Static URL filter with FortiGuard category filter, FortiGate Static URL filter without FortiGuard category filter.
Solution
Static URL filter with FortiGuard category filter
This can be used in two cases:
- When a specific domain needs to be allowed but is blocked by the FortiGuard category, it is necessary to override the FortiGuard category.
- When a specific domain needs to be blocked, but is allowed by the FortiGuard category.
In both of these cases, it is recommended to use Web Rating Overrides and move that specific site to a new custom category, with a correct action applied in the WebFilter profile: Allow or Block, according to the needs (by default, they are disabled - neither Allow nor Block).
This is not feasible in cases where there is a need to block a very specific subdomain, in which case there is a need to use a wildcard in the Static URL filter, with the following actions:
- Block: Blocks the site. No further UTM or action taken.
- Allow: Allows the attempt from the Static URL filter. Next used: Category filter, antivirus, etc.
- Monitor: (=Allow+'passthrough' Log).
- Exempt: Bypasses following UTM services (Technical Tip: Selecting security services for a URL with action set as 'exempt' in the URL filter), including FortiGuard category web filter.
Note:
If both the FortiGuard category-based filter and the Static URL filter are used, and it is required to allow access to a site regardless of the category, then use 'Exempt'.
Static URL filter without FortiGuard category filter:
- Block: blocks the site. No further UTM or action.
- Allow: allows the attempt from the Static URL filter. Next used: Category filter, AV, etc.
- Exempt: bypasses other UTM services if used in policy (Technical Tip: Selecting security services for a URL with action set as 'exempt' in the URL filter), Category filter already disabled.
Make sure that there is no default 'Allow all sites' option, so this Allow will only permit access to the URLs added here, and deny other access. If there is a need to block 10 URLs and allow the rest, add those URLs first, with action 'Block', then add a wildcard allow (to allow all the other URLs).
Monitor: (=Allow+'passthrough' Log) for this particular URL:
For a deeper explanation of the difference between the action 'allow' and 'exempt', may refer to this article:
Technical Tip: The difference between 'allow' and 'exempt' in the web filter URL filter
Related documents:
Technical Tip: Use static URL filtering without FortiGuard Web Filter license
Technical Note: Selecting security services for a URL with action set as “exempt” in URL filter
Technical Tip: Customize URL static filter's 'Exempt' Action