Description
This article describes how to enable explicitly custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses.
Solution
In all web filter profiles, local and remote categories have to be manually enabled.
When a new threat feed connector or web rating overrides in a custom category are created, it will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter's settings.
If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.
In SSL/SSH inspection profiles, local and remote categories have be explicitly selected to be exempt from SSL inspection.
In proxy addresses, local and remote categories have be explicitly selected as URL categories for them to apply.
In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.
Web filter profiles.
In this example, www.fortinet.com is added to the Seriously custom category.
The Seriously category action is set to Monitor, overriding the action applied to the Information Technology category and to any remote categories that also contain the URL.
An external threat feed is also connected, and it's action is set to Block, overriding the default FortiGuard category actions for URLs in multiple categories.
To use local and remote categories in a web filter profile from GUI:
1) Go to Security Profiles -> Web Rating Overrides and create a custom category and add URLs to it.
2) Go to Security Fabric -> External Connectors and create a FortiGuard Category Threat Feed external connector to import an external block list.
3) Go to Security Profiles -> Web Filter and create or edit a web filter profile.
4) Set Feature to Proxy-based
5) Enable FortiGuard category based filter and change the action for the Local Categories and Remote Categories entries as needed.
4) Set Feature to Proxy-based
5) Enable FortiGuard category based filter and change the action for the Local Categories and Remote Categories entries as needed.
6) Configure the remaining settings as required.
7) Select 'OK'.
7) Select 'OK'.
Note.
When the action for a local or remote category is Allow, the category is disabled. The next category's action, in the order of preference, will be applied.
To use local and remote categories in a web filter profile from CLI:
To use local and remote categories in a web filter profile from CLI:
1) Create a custom category and add URLs to it.
# config vdom2) Create a FortiGuard Category Threat Feed external connector to import an external blocklist.
edit root
# config webfilter ftgd-local-cat
edit "Seriously"
set id 140
next
end
# config webfilter ftgd-local-rating
edit "www.fortinet.com"
set rating 140
next
end
next
end
# config global3) Create or edit a web filter profile. See FortiGuard filter for details.
# config system external-resource
edit "OnAworkComputer"
set category 192
set resource "https://192.168.0.5/lists/blocklist.txt"
next
end
end
Local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.
# config vdom
edit root
# config webfilter profile
edit "WebFilter-1"
set feature-set proxy
# config ftgd-wf
unset options
# config filters
edit 12
set category 12
set action warning
next
...
edit 23
set action warning
next
edit 140
set category 140
next
edit 192
set category 192
set action block
next
end
end
next
end
next
end
When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor.SSL/SSH inspection profiles.
To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection from GUI:1) Go to Security Profiles -> SSL/SSH Inspection.
2) Create a new profile or edit an existing one.
3) Ensure that Inspection method is Full SSL Inspection.
4) In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list.5) Configure the remaining settings as required, then select 'OK'.To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection from CLI:
# config firewall ssl-ssh-profileProxy addresses.
edit "SSL_Inspection"
# config https
set ports 443
set status deep-inspection
end
...
# config ssl-exempt
edit 1
set fortiguard-category 140
next
edit 2
set fortiguard-category 194
next
end
next
endTo use local and remote categories in a proxy address from GUI:
1) Go to Policy & Objects -> Addresses and select 'Create New' -> Address, or edit an existing proxy address.
2) Set Category to 'Proxy Address'.
3) Set Type to URL Category.
4) In the URL Category, add the local and remote categories.5) Configure the remaining settings as required, then select 'OK'.
To use local and remote categories in a proxy address from CLI:
# config firewall proxy-address
edit "proxy_override"
set type category
set host "all"
set category 140 194
set color 23
next
end
