Created on 12-12-2019 06:05 AM Edited on 11-06-2024 10:12 PM By Jean-Philippe_P
Description
This article explains how to use static URL filtering without an active FortiGuard Web Filter license on the FortiGate.
Scope
FortiGate (all versions 5.x, 6.x, 7.x).
Solution
It is important to note that a FortiGuard URL, DNS & Video Filtering Service license grants the FortiGate access to several related services that are powered by FortiGuard (including FortiGuard Category-based Filtering, DNS Filtering, and Video Filtering).
If the FortiGate is missing this license (i.e. it is expired or not purchased), then having these features enabled as part of security inspection will result in traffic being dropped (the FortiGate queries FortiGuard but receives a rating error due to the lack of license, leading to blocked traffic by default).
Notably, some features do not require the FortiGate to interact with FortiGuard, and so they can be utilized without an active license. Static URL Filtering (where the FortiGate inspects the URL of the website) is one of these functions.
For unencrypted HTTP traffic, Static URL Filtering can examine the HTTP Host field (e.g. www.testwebsite.com ) and the Request URI/Path (e.g. /index.html). For HTTPS traffic, SSL inspection is required:
Granular control over HTTPS websites requires SSL Deep Inspection (i.e. filtering based on the HTTP Path), but it is still possible to block/allow access to the entire website using SSL Certificate Inspection.
Be cautious when implementing Static URL Filtering as it is easy to accidentally block access to necessary/legitimate websites if done carelessly. Refer to the following Community KB article for more information regarding Static URL Filtering expressions: Technical Tip: URL Filter expressions for the FortiGate.
Example Configuration.
Go to Security Profiles -> Web Filter.
Select a web filter to edit.
Under Static URL Filter, enable URL Filter, and select Create New.
Enter the URL, without the 'http' (this URL will not be checked by the FortiGuard. Hence, use a static URL Filter without a web filter license).
Select a Type: select Wildcard/simple/regex.
Select the Action to take against matching URLs: Exempt/Allow/Block.
Select Enable.
Select OK.
The syntax in the CLI for configuring an entry is:
config webfilter urlfilter
edit <ID>
config entries
edit 1
set url <URL>
set referrer-host <URL>
set type {simple | regex | wildcard}
set action {block | allow | monitor | exempt}
set status {enable | disable}
end
end
end
Call the same web filter profile to the IPv4 policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.