FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff
Article Id 192122

Description


This article explains how to use static URL filtering without an active FortiGuard Web Filter license on the FortiGate.

 

Scope

 

FortiGate (all versions 5.x, 6.x, 7.x).

Solution

 

It is important to note that a FortiGuard URL, DNS & Video Filtering Service license grants the FortiGate access to several related services that are powered by FortiGuard (including FortiGuard Category-based Filtering, DNS Filtering, and Video Filtering).

If the FortiGate is missing this license (i.e. it is expired or not purchased), then having these features enabled as part of security inspection will result in traffic being dropped (the FortiGate queries FortiGuard but receives a rating error due to the lack of license, leading to blocked traffic by default).

 

Notably, some features do not require the FortiGate to interact with FortiGuard, and so they can be utilized without an active license. Static URL Filtering (where the FortiGate inspects the URL of the website) is one of these functions.

 

For unencrypted HTTP traffic, Static URL Filtering can examine the HTTP Host field (e.g. www.testwebsite.com ) and the Request URI/Path (e.g. /index.html). For HTTPS traffic, SSL inspection is required:

  • With SSL Certificate Inspection, the TLS certificate's Common Name (CN) and Server Name Indication (SNI) can be examined.
  • With SSL Deep Inspection, all of the above can be examined (HTTP Host and Request URI, Certificate CN, and SNI).

 

Granular control over HTTPS websites requires SSL Deep Inspection (i.e. filtering based on the HTTP Path), but it is still possible to block/allow access to the entire website using SSL Certificate Inspection.

Be cautious when implementing Static URL Filtering as it is easy to accidentally block access to necessary/legitimate websites if done carelessly. Refer to the following Community KB article for more information regarding Static URL Filtering expressions: Technical Tip: URL Filter expressions for the FortiGate.

Example Configuration.

Go to Security Profiles -> Web Filter.
Select a web filter to edit.
Under Static URL Filter, enable URL Filter, and select Create New.


Enter the URL, without the 'http' (this URL will not be checked by the FortiGuard. Hence, use a static URL Filter without a web filter license).
Select a Type: select Wildcard/simple/regex.
Select the Action to take against matching URLs: Exempt/Allow/Block.
Select Enable.
Select OK.


The syntax in the CLI for configuring an entry is:

 

config webfilter urlfilter
    edit <ID>
        config entries
            edit 1
                set url <URL>
                set referrer-host <URL>
                set type {simple | regex | wildcard}
                set action {block | allow | monitor | exempt}
                set status {enable | disable}
            end
        end
    end


Call the same web filter profile to the IPv4 policy.