Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
babakmh
Staff
Staff

Created on ‎01-31-2025 10:11 AM

Article Id 373917

Technical Tip: Enable Web Filter only when the user is off-fabric (off-net) when connected to public internet

Description This article explains the correct way to enable a web filter feature that is only active when the endpoint goes off fabric.
Scope FortiClient EMS.
Solution

This is a common practice to keep FortiClient Web Filter module disabled when the user is on-net (on fabric) since firewall can take care of web filtering when the endpoint is in the office.

 

Set the option 'Enable WebFiltering on FortiClient' under Web Filter profile to 'Only When Endpoint is Off-Fabric' can cause the extension to be installed on browser due to an existing known issue. In order to prevent this to happen, do the following steps:

 

 

  1. Configure off-fabric Web Filter profile and set 'Enable WebFiltering on FortiClient' to 'Always On' and enable the profile on top:

 

 

Web filter Enable WebFiltering on FortiClient Always On.png

 

  1. Configure an on-fabric Web Filter profile and make it disabled:

     

 

Web filter Disabled OFF.png

  1. Under EMS policy, toggle on Profile (Off-Fabric) on top, then use WF profile with Always On for off-fabric (right column).

 

Policy Web Filter off-fabric.png

927
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.