Skip to main content
akamath
Staff
akamath
Staff
October 6, 2020

Technical Tip: Web filter profiles in NGFW policy mode

  • October 6, 2020
  • 0 replies
  • 7879 views

Description

 

This article describes how to configure a Web Filter profile in NGFW policy-mode, as well as a walkthrough for applying the Web Filter profile to a Security Policy.

Scope

 

FortiGate, NGFW policy-mode.

 

Solution

 

Web Filtering in NGFW policy-mode is somewhat different than the default NGFW profile-mode:

  • In profile mode, Web Filter profiles contain both FortiGuard Category-based Filtering as well as Static URL Filtering. Traffic must first match a Firewall Policy based on the Source/Destination tuple, THEN the inspection profiles (like Web Filtering) are applied.
  • In policy mode, Web Filter functionality is split into two stages:
    • Category-based filtering is now configured directly in Security Policies, rather than in the Web Filter profile, and the categories are used by the Policy Match Engine (PME) to determine if traffic should match to the Security Policy or not (the FortiGate checks the website against FortiGuard, obtains a category rating, then sees if the category matches the policy or not).
    • Meanwhile, Web Filter profiles in policy-mode now only control Static URL Filtering functionality. These profiles can be applied to Security Policies, even when those policies do not include any category-based filters.

Note: Web Filter profiles were added to NGFW policy-mode as of FortiOS 6.4.2 and later (the feature was unavailable in the GUI for FortiOS 6.2 and earlier). See also: Configure web filter profiles in NGFW policy mode

 

As a reminder, NGFW policy-mode utilizes three stages of policies, of which Web Filtering functionality is handled within the Security Policy stage:

  1. SSL Inspection & Authentication Policy.
  2. Security Policy.
  3. Central NAT Policy.


To create a Web Filter profile on a FortiGate in NGFW policy-mode (GUI method)

  1. Go to Security Profiles -> Web Filter and select Create New.
  2. Enter a name for the profile and configure the remaining settings as required. For guidance on configuring Static URL Filter rules, review the following KB articles:

 

NGFW_WebFilter_Profile.png

  

  1. Select OK to commit the changes to the Web Filter profile.

 

To apply a Web Filter profile to a Security Policy (GUI method)

  1. Go to Policy & Objects -> Security Policy and select Create New.
  2. Enter a name for the policy, and configure the remaining settings as required.
  3. Under Security Profiles, enable Web Filter and select the web filter, then select OK to commit the Security Policy change.

NGFW_WebFilter_SecurityPolicy.png

 

  1. If necessary, navigate to Policy & Objects -> SSL Inspection & Authentication and create a policy that matches the traffic flow (Source/Destination IP Addresses and Service ports).
    • SSL Inspection & Authentication policies perform basic network tuple-based filtering, and they also determine if SSL/TLS certificate-, deep-, or no-inspection are applied to traffic matching the policy.
    • By default, an Any/Any SSL Inspection & Authentication policy already exists (with certificate-inspection) to allow all traffic to pass through to the Security Policy stage for further filtering.

 

NGFW_SSL_Inspection_Policy.png

 

  1. If Source NAT is required for this traffic flow then navigate to Policy & Objects -> Central SNAT and create an appropriate policy for outbound source NAT.

 

NGFW_Central_SNAT_Policy.png

 

To create a Web Filter profile on a FortiGate in NGFW policy-mode (CLI method)

 

Note: creating Web Filter profiles via the GUI is the recommended method to start with, as it automatically creates the Web Filter profile entry and maps it with the separate tables used for additional features (urlfilter for Static URL Filtering, content for Content Filtering, etc.)

 

config webfilter profile

edit 'NGFW_WebFilter'

config web

set bword-table 1
set urlfilter-table 66

end

next

end

 

config webfilter urlfilter

edit 66

set name 'Auto-webfilter-urlfilter_tj8dluytj'
config entries

edit 1

set url 'test.com'
set action block

next

end

next

end

 

config webfilter content

edit 1

set name 'Auto-webfilter-content_u1t2ga712'
config entries

edit 'gambling'

set status enable

next
edit 'news'

set status enable

next
edit 'example'

set status enable

next

end

next

end

 

To apply a Web Filter profile to a Security Policy (CLI method)

 

  1. Configure the Security Policy and apply the Web Filter profile:

config firewall security-policy

edit 1

set name 'Example Security Policy'
set srcintf 'any'
set dstintf 'virtual-wan-link'
set srcaddr 'all'
set dstaddr 'all'
set action accept
set schedule 'always'
set webfilter-profile 'NGFW_WebFilter'

next

end

 

  1. Configure an SSL Inspection & Authentication Policy (the default is displayed as an example here):

config firewall policy

edit 1

set name 'Default'
set srcintf 'any'
set dstintf 'any'
set srcaddr 'all'
set dstaddr 'all'
set service 'ALL'
set ssl-ssh-profile 'certificate-inspection'

next

end

 

  1. Configure a Central SNAT policy (if Source NAT is required for this traffic flow):

config firewall central-snat-map

edit 1

set srcintf 'any'
set dstintf 'wan1'
set orig-addr 'all'
set dst-addr 'all'

next

end

Terms & ConditionsAccessibility statement