Technical Tip: Difference between action 'Allow' and 'Exempt' in static URL filter

This article describes the difference between the 'Allow' and 'Exempt' actions in static URL filter configuration.

In the Web UI, the static URL filter and FortiGuard category filters are both located within the Web filter profile configuration:

However, in CLI and in FortiOS in general, the static URL filter list is not part of the Web filter profile. Instead, it is configured separately as follows:

config webfilter urlfilter
    edit 3
        set name "test"
            config entries
                edit 1
                    set url "example.com"
                    set exempt web-content
                next
            end
    next
end

Then applied to the WebFilter profile as follows:

config webfilter profile
    edit "test"
        config web
            set urlfilter-table 3   -> URL filter list '3' applied.
        end
        config ftgd-wf
            unset options
        end
    next
end

When FortiGate performs a web filter check, it will first check the static URL filter list (if applied to the profile) and based on the action, will then perform the FortiGuard category check.

'Action' descriptions in Static URL see below:

• 'Block' -> destination is blocked and session dropped, no further category check is needed.
• 'Allow' -> destination is allowed from the static URL list, FortiGate proceeds with checking the category to decide further action.
• 'Exempt' -> destination is exempted from further inspection and traffic is allowed.

Note: The 'Exempt' action will bypass further inspections such as FortiGuard web filters, content filters, web script filters, Anti-Virus, and DLP by default. It is possible to select which inspection to bypass in the CLI as mentioned in this article: Technical Tip: How to specify which security profiles to bypass for exempted URLs under Static URL F...

Related articles: 

Technical Tip: Using a static URL filter feature to allow/block web sites