Description
This article explains how to override a website's FortiGuard-based category rating on the FortiGate so that it can be assigned to a different category. This is useful when a particular website/domain needs to be treated differently without impacting other websites belonging to the same category (for example, whitelisting YouTube while still blocking the Streaming Media and Download category as a whole).
Scope
FortiGate, FortiGuard Category-based Web Filtering.
Solution
Important Notes:
- Web Rating Overrides can be configured on the FortiGate to override a given domain, but note that these overrides also apply to sub-domains unless a more specific match exists. For example, an Override created for 'example.com' will also affect the categorization of sub-domains like 'test.example.com' and 'vpn.example.com', resulting in all three websites being categorized the same.
This means that there is no need (or support for) wildcard expressions within Web Rating Overrides since it is handled automatically. On the other hand, if a sub-domain needs to be handled separately from the main domain then a more-specific Web Rating Override must be created that matches the sub-domain(s) in question. - IP addresses can not be used in Web Rating Overrides.
- Ensure that the Web Filter profile containing the Web Rating Override is actively applied to the relevant firewall policy; otherwise, the override will not take effect on user traffic.
Configuration:
To override the FortiGuard web rating, go to Security Profiles -> Web Rating Overrides.
Select any column heading to select columns that are displayed or to reset all the columns to the default settings.
Drag column headings to change the orders.
The following options are available:
| Create New | Create a new web rating override. See: To create a new web rating override. |
| Edit | Modify the selected web rating override. See: To edit a web rating override. |
| Delete | Remove the selected web rating override. See: To delete an override or overrides. |
| Status | Override is enabled or disabled. |
| Search | Enter a search term to search the web rating override list. |
| URL | The URL of a web site. |
| Custom Categories | Select to create a custom category for groups of URLs. |
Web rating overrides can be created, edited, and deleted as required.
A. To create a new web rating override.
- Go to Security Profiles -> Web Rating Override and select 'Create New' from the toolbar.
- In the URL field, text the URL of the website to re-categorize. Do not use wildcard expressions when typing in the URL.
- Select 'Lookup Rating' to verify the current categorization assigned to the URL.
- Select a new category for the website in the category drop-down menu.
- Select a more narrowly defined option within the main category in the sub-category drop-down menu.
- Select 'OK'.
B. To edit a web rating override.
- Go to Security Profiles -> Web Rating Overrides.
- Select the web rating override to edit and then select 'Edit' from the toolbar or select the profile name in the list.
- Edit the information as required and then select 'OK' to save the changes.
C. To delete an override or overrides.
- Go to Security Profiles -> Web Rating Overrides.
- Select the override or overrides to delete.
- Select 'Delete' from the toolbar.
- Select 'OK' in the confirmation dialog box to delete the selected override or overrides.
Example Scenario:
Customer wants to block website tiktok.com but allow other websites in the Social Networking category. To accomplish this, a Web Rating Override can be created to assign TikTok to another category (in this example, Adult/Mature Content -> Other Adult Materials was chosen):
- In the FortiOS web GUI, go to Security Profiles -> Web Rating and select the Create New button.
- Specify 'tiktok.com' in the URL section. Currently the FortiGuard categorization is General Interest - Personal -> Social Networking.
- In the Override to section, set the Category to Adult/Mature Content and the Sub-Category to Other Adult Materials.
- Select OK to commit the change.
At this point, Web Filtering will now categorize connections to tiktok.com as belonging to Adult/Mature Content -> Other Adult Materials. The category can be set with the Block action within a given Web Filtering profile and the profile can then be applied to Firewall Policies on the FortiGate to block user access to the website.
To create a new custom category for a group of web sites:
- Go to Security Profiles -> Web Rating Overrides.
- Select Custom Categories. The Custom Categories window opens.
- Select Create New.
- Enter the name of the custom category.
- Select 'OK'.
To use the new category when creating/editing a Web Rating Override, change the Category field to 'Custom Categories'. The new custom categories are listed in the Sub-Category drop-down menu.
Important Note: Once the override is created using a Custom Category, go to the Web Filter profile and change the action for the new category to one of the following: Allow, Monitor, Block, Warning, or Authenticate.
By default, custom categories are set with the Disable action in Web Filter, so any overrides that are based on these custom categories will not take effect until the custom category has an action other than Disable.
Before v6.4.2 (i.e. 6.4.1, 6.2, and all earlier), Web Rating Overrides would not take effect if the Action for the custom category was set to Allow. In 6.4.2 and later, a new Disable action was added as the new default so that the Allow action worked as expected for custom categories (see also: FortiOS 6.4 New Features - Explicitly enable custom categories [...]).
If the override login page is not loading properly, check the authentication settings and choose the correct certificate.
config user setting
set auth-cert Fortinet_Factory <----- This certificate will be used for the override page. Ensure this setting has the correct certificate.
end
Related document:
