Description
This article describes the difference between the actions 'Allow' and 'Exempt' under the URL filter in the web filter profile.
Scope
FortiGate, FortiOS.
Solution
An URL is evaluated by the web filter profile in the following order:
- URL filter.
- FortiGuard Web Filter (FortiGuard categories).
- Web content filter.
- Web script filter.
- Antivirus scan.
The actions that are available for URL filter application are:
- Exempt.
- Block.
- Allow.
- Monitor.
The 'Exempt' action for a defined URL/Wildcard/RegEx entry in the URL filter will permit the traffic to pass through the firewall without any further scanning. There will be no match against FortiGuard web filters (FortiGuard categories), Web Content Filter or so on.
The 'Block' action for a defined URL/Wildcard/RegEx entry in the URL filter will block any further traffic to a specified URL.
The 'Allow' action for a defined URL/Wildcard/RegEx entry in the URL filter will permit the firewall to continue the scanning against FortiGuard Web Filter (FortiGuard categories). If the FortiGuard web filter allows the traffic for that URL the scanning will continue to be done by the web content filter and so on.
The 'Monitor' action for a defined URL/Wildcard/RegEx entry in the URL filter will have the same effect as the action 'Allow', but the traffic will be logged.
If the configuration requirement is to permit access for a certain URL defined under a URL filter that falls under a blocked FortiGuard web filter then the correct action to choose needs to be exempt. If only allow action will be used then the URL will be allowed by the URL filter but will be blocked by the FortiGuard web filter.
The use case scenario for using the 'Allow' action in the URL filter is to allow only certain subdomains or domains and block everything else in the restrictive environments.
Documentation is attached to this article for the debugging with different web filter flow actions.
