Technical Tip: How to block all, except some URLs

Description

This article explains how to use Web-filter to create a white list of HTTP(S) resources, and block the rest of the sites.

Scope

FortiGate.

Solution

Normal behavior would be to have some entries with allowed status and one wildcard ‘*’ with block.
For some internet resources, such a wildcard will break the TLS/SSL handshake. It is much better to use a regexp in the form ‘[^.]’.

Example:

config webfilter urlfilter

    edit 1

        set name "default"

            config entries

                edit 1

                    set url "sample.com"

                    set action allow

                next

                edit 2

                    set url "[^.]"

                    set type regex

                    set action block

                next

end

Note: From 7.6.3 version, there is an option to control whether webfilter.urlfilter simple-type entries match subdomains. See: Changes in CLI:

config webfilter urlfilter

    edit <id>

        set include-subdomains {enable/disable}

    next

end

Example:

include-subdomains enable (default): The URL Filter matches subdomains (for example, 'sample.com' matches 'www.sample.com' and 'support.sample.com').

include-subdomains disable: The URL Filter only matches the exact domain (for example, 'sample.com' does not match 'support.sample.com').

It can block sample.com only by using the include-subdomains disable feature