FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 265450
Description This article explains how to exempt or block the top-level domain (TLD) names for websites using the URL filter feature.
Scope All FortiGate Firmware.

A top-level domain (TLD) is the highest level in the Domain Name System (DNS) hierarchy of the Internet. It is the part of a website's address located to the right of the dot (e.g., .com, .org, .net). TLDs play a crucial role in identifying the nature or purpose of a website's domain name and are an essential part of a URL (Uniform Resource Locator) used to access web pages.


This URL filter is configured to block or allow a specific top-level domain (TLD) for websites (e.g., .com, .org, .net). All other websites using that configure TLD will be blocked or allowed as the filter is configured with Regular Expressions (regex).


Configuring a URL filter:


In the following example, a URL filter will be created to block TLD using a regex.

Configuring a URL filter in the GUI

To create a URL filter for .net TLD:

  1. Go to Security Profiles -> Web Filter and select Create New or edit an existing profile.
  2. In the Static URL Filter section, enable URL Filter.
  3. Select Create New. The New URL Filter pane opens.
  4. For URL, enter .*\.\bnet\b ,for Type, select Regular Expression, and for Action, select Block.


  1. Select OK. The entry appears in the table.



  1. Configure the other settings as needed
  2. Select OK.



The syntax in the CLI for configuring an entry is:


config webfilter urlfilter

edit <1>

set name "name"

config entries

edit 1

set url ".*\\.\\bnet\\b"

set type regex

set action block

set status disable






To attach the URL filter table to an existing or a new webfilter profile:


config webfilter profile

edit "Net Filter"      <----- Name of the web filter profile.

config web

set urlfilter-table 1  <----- Where 1 is the URL filter table ID, this number can be found in 'config webfilter urlfilter': the URL filter created with the ID number.


config ftgd-wf

unset options






Verifying the URL filter results


Verify the URL filter results by going to a blocked website. For example, upon visiting the website, the replacement message appears:




To check web filter logs in the GUI:

KB-Web-Filter log.png


Related articles: