Technical Note: Selecting security services for a URL with action set as “exempt” in URL filter

Deepak_Girimaji_FTNT · ‎09-25-2014

Description

Specifying action as "Allow" in the URL filter may not allow the URL access. This is because, any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning which may block the url access. Hence, setting the action as exempt allows URL access. However, specifying action as "Exempt” for a URL in web site bypasses following security services -

activex-java-cookie - ActiveX, Java, and cookie filtering.
av                  - Antivirus filtering.
dlp                 - DLP scanning.
filepattern         - File pattern matching.
fortiguard          - FortiGuard web filtering.
pass                - Pass single connection from all.
range-block         - Exempt range block feature.
web-content         - Web filter content matching.

Scope

URL Filtering

Solution

To specify what services needs to be bypassed for an URL with action set as “exempt” configuration needs to be executed through command line interface using following syntax based on the following example-

Fortinet.com URL is added specifying the action as “exempt”

FGT# config webfilter urlfilter
FGT(urlfilter) # edit
FGT(1) # config entries
FGT(entries) # edit fortinet.com
FGT(fortinet.com) # set exempt ?

activex-java-cookie ActiveX, Java, and cookie filtering.
all                 Exempt from all.
av                  Antivirus filtering.
dlp                 DLP scanning.
filepattern         File pattern matching.
fortiguard          FortiGuard web filtering.
pass                Pass single connection from all.
range-block         Exempt range block feature.
web-content         Web filter content matching.

FGT(fortinet.com) # set exempt <- Select the services which needs to be bypassed.