Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Francesko
Staff
Staff

Created on ‎04-29-2025 07:09 AM Edited on ‎05-19-2025 11:54 PM By Community Manager

Article Id 389793

Technical Tip: How to configure Web Filter UTM to allow only whitelisted URLs and block access to all others

Description This article explains how to configure the static URL filter in a Web Filter profile to permit access only to specified URLs while blocking all others.
Scope FortiGate.
Solution

Certain scenarios require restricting access to whitelisted URLs exclusively through the Web Filter UTM feature, avoiding the use of the destination field in the firewall policy. This can be achieved by using the 'Static URL Filter' feature within the Web Filter options.

The 'Static URL Filter' does not include a catch-all entry by default, so one must be added manually to block access to all other destinations.

 

The following diagram shows a sample configuration scenario:

Drawing 6.png
The configuration of the catch-all entry in the Web Filter profile:

 

URL: *
Type: Wildcard
Action: Block

 

 

Note: The order of entries is important, as they are evaluated from top to bottom.

Firewall Policy configuration:

 

config firewall policy
    edit <policy_id>
        set name "Policy_1"
        set srcintf "port1"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "TestWF"
        set nat enable
    next
end

 

Web Filter configuration:

config webfilter profile
    edit "TestWF"
        set comment "Default web filtering."
            config web
                set urlfilter-table 1
            end
            config ftgd-wf
            ...
            end
    next
end

 

URL Filter configuration:

config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter"
            config entries
                edit 1
                    set url "domain1.tld"
                next
                edit 2
                    set url "domain2.tld"
                next
                edit 3
                    set url "domain3.tld"
                next
                edit 4
                    set url "*"
                    set type wildcard
                    set action block
                next
            end
    next
end

 

GUI configuration example:

 

video.gif


To avoid potential issues when adding a new domain, ensure the wildcard catch-all entry is placed at the end of the list.

 

Related documents:

Web filter

Technical Tip: Using a static URL filter feature to allow/block web sites
651
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.