FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skaneria
Staff
Staff
Article Id 193384

Description

 

This article explains how to override a website's FortiGuard-based category rating on the FortiGate so that it can be assigned to a different category. This is useful when a particular website/domain needs to be treated differently without impacting other websites belonging to the same category (for example, whitelisting YouTube while still blocking the Streaming Media and Download category as a whole).

 

Scope

 

FortiGate, FortiGuard Category-based Web Filtering.

Solution

 

Important Note: 

Web Rating Overrides can be configured on the FortiGate to override a given domain, but note that these overrides also apply to sub-domains unless a more specific match exists. For example, an Override created for 'example.com' will also affect the categorization of sub-domains like 'test.example.com' and 'vpn.example.com', resulting in all three websites being categorized the same. 

 

This means that there is no need (or support for) wildcard expressions within Web Rating Overrides since it is handled automatically. On the other hand, if a sub-domain needs to be handled separately from the main domain then a more-specific Web Rating Override must be created that matches the sub-domain(s) in question.

 

To override the FortiGuard web rating, go to Security Profiles -> Web Rating Overrides.


Capture.png

 

Select any column heading to select columns that are displayed or to reset all the columns to the default settings.
Drag column headings to change the orders.

The following options are available:

Create New Create a new web rating override. See: To create a new web rating override.
Edit Modify the selected web rating override. See: To edit a web rating override.
Delete Remove the selected web rating override. See: To delete an override or overrides.
Custom Categories Select to create a custom category for groups of URLs. See: To create a new custom category for a group of web sites
Search Enter a search term to search the web rating override list.
URL The URL of a web site.
Override Category The new category for the web site.
Original Category The category that the web site originally belonged to.
Status Override is enabled or disabled.


Web rating overrides can be created, edited, and deleted as required.

To create a new web rating override.

  1. Go to Security Profiles -> Web Rating Override and select 'Create New' from the toolbar.
  2. In the URL field, text the URL of the website to re-categorize. Do not use wildcard expressions when typing in the URL.
  3. Select 'Lookup Rating' to verify the current categorization assigned to the URL.
  4. Select a new category for the website in the category drop-down menu.
  5. Select a more narrowly defined option within the main category in the sub-category drop-down menu.
  6. Select 'OK'.


Untitled.gif

 

To edit a web rating override.

  1. Go to Security Profiles -> Web Rating Overrides.
  2. Select the web rating override to edit and then select 'Edit' from the toolbar or select the profile name in the list.
  3. Edit the information as required and then select 'OK' to save the changes.

 

To delete an override or overrides.

  1. Go to Security Profiles -> Web Rating Overrides.
  2. Select the override or overrides to delete.
  3. Select 'Delete' from the toolbar.
  4. Select 'OK' in the confirmation dialog box to delete the selected override or overrides.

 

Example Scenario: Customer wants to block website tiktok.com but allow other websites in the Social Networking category. To accomplish this, a Web Rating Override can be created to assign TikTok to another category (in this example, Adult/Mature Content -> Other Adult Materials was chosen):

 

  1. In the FortiOS web GUI, go to Security Profiles -> Web Rating and select the Create New button.
  2. Specify 'tiktok.com' in the URL section. Currently the FortiGuard categorization is General Interest - Personal -> Social Networking.
  3. In the Override to section, set the Category to Adult/Mature Content and the Sub-Category to Other Adult Materials.
  4. Select OK to commit the change.

At this point, Web Filtering will now categorize connections to tiktok.com as belonging to Adult/Mature Content -> Other Adult Materials. The category can be set with the Block action within a given Web Filtering profile and the profile can then be applied to Firewall Policies on the FortiGate to block user access to the website.

 

Picture2.png

 

4.PNG

 

3.pngTo create a new custom category for a group of web sites:

 

  1. Go to Security Profiles -> Web Rating Overrides.
  2. Select Custom Categories. The Custom Categories window opens.
  3. Select Create New.
  4. Enter the name of the custom category.
  5. Select 'OK'.

 

Custom1.png


To use the new category when creating/editing a Web Rating Override, change the Category field to 'Custom Categories'. The new custom categories are listed in the Sub-Category drop-down menu.

Important Note: Once the override is created using a custom category, go to the Web Filter profile and change the action for the new category to one of the following: Allow, Monitor, Block, Warning, or Authenticate. By default, custom categories are set with the Disable action, so any overrides that are based on these custom categories will not take effect until the custom category has an action other than Disable.

 

Note: 

Before v6.4.2 (i.e. 6.4.1, 6.2 and all earlier), Web Rating Overrides would not take effect if the Action for the custom category was set to Allow. In 6.4.2 and later, a new Disable action was added as the new default so that the Allow action worked as expected for custom categories (see also: FortiOS 6.4 New Features - Explicitly enable custom categories [...])


As shown in the example, 'newest.com' belongs to the 'Information and technology' category, it is configured to be overridden by the 'business' category, so the business category action must be set as Monitor, Block, Warning, or Authenticate.


If the override login page is not loading properly, check the authentication settings and choose the correct certificate.

 

config user setting

set auth-cert Fortinet_Factory <----- This certificate will be used for the override page. Ensure this setting has the correct certificate.

end