Technical Tip: Difference between action 'Allow' and 'Exempt' in static URL filter

This article describes the difference between the 'Allow' and 'Exempt' actions in static URL filter configuration.

In the Web UI, the static URL filter and FortiGuard category filters are both located within the Web filter profile configuration:

However, in CLI and in FortiOS in general, the static URL filter list is not part of the Web filter profile, instead it is configured separately as follows:

# config webfilter urlfilter
    edit 3
        set name "test"
            config entries
                edit 1
                    set url "example.com"
                    set exempt web-content
                next
            end
    next
end

Then applied to the WebFilter profile as follows:

# config webfilter profile
    edit "test"
        config web
            set urlfilter-table 3   -> URL filter list '3' applied.
        end
        config ftgd-wf
            unset options
        end
    next
end

When FortiGate performs a web filter check, it will first check the static URL filter list (if applied to the profile) and based on the action, will then perform the FortiGuard category check.

'Action' descriptions in Static URL see bellow:

- 'Block' -> destination is blocked and session dropped, no further category check is needed.

- 'Allow' -> destination is allowed from the static URL list, FortiGate proceeds with checking the category to decide further action.

- 'Exempt' -> destination is exempted from further inspection and traffic is allowed.