Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Deepak_Girimaji_FTNT
Staff
Staff

Created on ‎09-25-2014 06:45 AM Edited on ‎09-16-2025 04:29 AM By Moderator

Article Id 197249

Technical Tip: Selecting security services for a URL with action set as 'exempt' in the URL filter

Description

 
This article describes that specifying action as 'Allow' in the URL filter may not allow the URL. This is because any attempt to access a URL that matches a URL pattern with an allow action is permitted. 
The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning, which may block URL access. Hence, setting the action as exempt allows URL access. However, specifying action as 'Exempt' for a URL in a website bypasses the following security services:
 
activex-java-cookie - ActiveX, Java, and cookie filtering.
av                  - Antivirus filtering.
dlp                 - DLP scanning.
filepattern         - File pattern matching.
fortiguard          - FortiGuard web filtering.
pass                - Pass single connection from all.
range-block         - Exempt range block feature.
web-content         - Web filter content matching.


Scope

 
URL Filtering.


Solution

 
To specify what services need to be bypassed for a URL with action set as 'exempt' the configuration needs to be executed through the command line interface using the following syntax based on the following example:
The Fortinet.com URL is added, specifying the action as 'exempt'.

urlfilter1.jpg

 

FGT# config webfilter urlfilter
FGT(urlfilter) # edit <ID>
FGT(1) # config entries
FGT(entries) # edit fortinet.com
FGT(fortinet.com) # set exempt ?

activex-java-cookie ActiveX, Java, and cookie filtering.
all                 Exempt from all.
av                  Antivirus filtering.
dlp                 DLP scanning.
filepattern         File pattern matching.
fortiguard          FortiGuard web filtering.
pass                Pass single connection from all.
range-block         Exempt range block feature.
web-content         Web filter content matching.

FGT(fortinet.com) # set exempt <- Select the services that need to be bypassed.
 
Note: Starting from Forti OS v7.6.3, selecting which service will be exempted in URL filter is possible in the GUI.
 
urlfilter.jpg

 

  • AntiVirus - refers to the AntiVirus filtering.
  • Legacy filters - refer to Web content, Anti-phishing, Range block, ActiveX, Java and cookies.
  • DLP - refers to DLP scanning.
  • FortiGate Cloud - FortiGuard web filtering.

 

Related article:
Technical Tip: Explanation of the Allow, Block, Exempt, and Monitor static URL filter actions

Labels:
25598
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.