Technical Tip: Customize URL static filter's 'Exempt' Action

inoriega_FTNT · ‎12-05-2017

Description
This articles describes how to customize which security profiles in the URL filter get bypassed by the "Exempt" action.

Solution
Through CLI execute:

# config webfilter urlfilter
show

"show" will display each configured URL filter associated with a profile:

# show
config webfilter urlfilter
    edit 1
        set name "default"
        config entries
            edit 1
                set url "*twitter.com"
                set type wildcard
                set exempt fortiguard
            next
        end
    next
    edit 2
        set name "monitor-all"
        config entries
            edit 1
                set url "testing123.com"
            next
        end
    next
end

There are 2 URL filters, "*twitter.com" associated to the profile "default" and "testing123" associated to the profile "monitor-all".

The "*twitter.com" filter has a "set exempt fortiguard" field which doesn't exist in "testing123" filter.

Note: this is because "show" only displays values that are different from the default values.

If "show full-configuration" is used:

# show full-configuration
config webfilter urlfilter
    edit 1
        set name "default"
        set comment ''
        set one-arm-ips-urlfilter disable
        set ip-addr-block disable
        config entries
            edit 1
                set url "*twitter.com"
                set type wildcard
                set action exempt
                set status enable
                set exempt fortiguard
                set referrer-host ''
            next
        end
    next
    edit 2
        set name "monitor-all"
        set comment ''
        set one-arm-ips-urlfilter disable
        set ip-addr-block disable
        config entries
            edit 1
                set url "testing123.com"
                set type simple
                set action exempt
                set status enable
                set exempt av web-content activex-java-cookie dlp fortiguard range-block all
                set referrer-host ''
            next
        end
    next
end

By default the action "exempt" bypasses several security profiles, as seen in filter "testing123.com".

In the case of "*twitter.com" (previously modified) only FortiGuard is bypassed.

To customize these values:

# edit 2

Entry 2 is the number identifying the profile "monitor-all".

Then use:

# config entries
# show

All the URL filters within the profile selected will be shown, in the example "monitor-all":

# config entries
    edit 1
        set url "testing123.com"
    next
end

To see the options of a URL filter e.g. "testing123" with the id of 1, use the following command:

# edit 1
# set exempt ?

"?" is used to show all the available options:

# set exempt
av                     Antivirus filtering.
web-content            Web filter content matching.
activex-java-cookie    ActiveX, Java, and cookie filtering.
dlp                    DLP scanning.
fortiguard             FortiGuard web filtering.
range-block            Exempt range block feature.
pass                   Pass single connection from all.
all                    Exempt from all.

To save the changes, type "end".

To view the changes, type:

# set exempt av
# end

# show
config webfilter urlfilter
    edit 2
        set name "monitor-all"
        config entries
            edit 1
                set url "testing123.com"
                set exempt av
            next
        end
    next
end

In summary:

# config webfilter urlfilter

Enter the webfilter profile for the static URL:

# edit x ("x" is the table number of the webfilter profile.)

Then use:

# config entries
# edit y ("y" is the table number of the URL filter)
# set exempt

To save the changes type "end".