FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 196171
Description
This article explains the difference in behavior between the actions "pass" and "exempt" defined in a URL filtering entry.

These parameters are found in the following CLI configuration section:

config webfilter urlfilter
    edit 1
         config entries
                edit "www.mydemodomain.net/files/content"
                set action pass    // can also be "exempt
","block","allow"
                next
          end
        set name "my_domain"
    next
end


Solution
Introduction

The FortiGate unit applies web filters in this specific order:

1. URL exempt/pass
2. URL block
3. Web pattern block
4. FortiGuard Web Filtering
5. Web content filter
6. Web script filter
7. Antivirus scanning.

The parameters described in this article apply to the first item in this list.


Summary

When the option is set to "exempt", the whole connection matching the domain in the URL filter entry is bypassing any further action in the WEB filter list, and the access to this URL is granted with no further verification (including AV scanning).

When the option is set to "pass", each subsequent request for this connection is checked and bypassed individually (if matches) instead of bypassing the whole connection.


Example



1.1. With action = exempt

The first request, for example GET www.mydemodomain.net/ files/content/eicar.com will be exempted from any further filtering or scanning. This will bypass the connection to the FQDN domain www.mydemodomain.net.

Therefore, any further request in the same HTTP persistent connection, for example GET www.mydemodomain.net/ virus/eicar.com will also not be scanned since the connection is bypassed.


1.2. With action = pass

The first request, GET www.mydemodomain.net/ files/content/eicar.com will be passed without scanning. The connection will however not be bypassed.

The next request (in the same persistent connection), for example GET www.mydemodomain.net/ virus/eicar.com will now be scanned since this does not match the urlfilter entry.



2.1. With action = exempt

The first request, GET www.mydemodomain.net/files/ content/eicar.com using squidproxy.net:3128 will be exempted. This will bypass the connection to squidproxy.net.

The next request (in the same persistent connection), GET www.mydemodomain.net/ virus/eicar.com using squidproxy.net:3128, will not be scanned since the connection is bypassed.


2.2. With action = pass

The first request, GET www.mydemodomain.net/ files/content/eicar.com using squidproxy.net:3128 will be passed without scanning. The connection to squidproxy.net will however not be bypassed. The next request (in the same persistent connection), GET www.mydemodomain.net/ virus/eicar.com using squidproxy.net:3128, will now be scanned since this does not match the urlfilter entry.


Contributors