FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff
Article Id 196049

Description


This article describes how to configure a Web filter in NGFW policy mode and how to use it in security policies.

Scope

 

FortiGate.

 

Solution

 

Only Static URL Filter options can be configured.

 

In Policy Base Mode you require the following:

  1. Security Policy.
  2. SSL Inspection & Authenticat.ion Policy.
  3. Central NAT Policy


To create a web filter profile when the FortiGate is in policy mode from GUI.

  1. Go to Security Profiles -> Web Filter and select 'Create New'.
  2. Enter a name for the profile and configure the remaining settings as required.

 
  1. Select 'OK'.

To apply web filter profile in a security policy from GUI.

  1. Go to Policy & Objects -> Security Policy and select 'Create New'.
  2. Enter a name for the policy, and configure the remaining settings as required.
  3. Under Security Profiles, enable Web Filter and select the web filter.
 

 
  1. Select 'OK'.
  2. Navigate to SSL Inspection & Authentication and create a policy with certificate inspection or deep inspection.
 

ssl_inspection_policy.PNG

 

  1. Go to Policy & Objects -> Central SNAT.
 

central_nat_policy.png

 


CLI commands:

 

  1. Web filter:

 

config webfilter urlfilter

    edit 1
        set name "Auto-webfilter-urlfilter_bwv7i1r83"
config entries
    edit 1
        set url "*.bot*.com"
        set type wildcard
        set action block
    next
end
next
end

 

  1. Configure content filters.

 

config webfilter content
    edit 1
        set name "Auto-webfilter-content_mqqyssuxd"
config entries
    edit "gambling"
    set status enable
next
    edit "news"
        set status enable
    next
edit "test"
    set status enable
next
    edit "example"
        set status enable
    next
end
next
end

 

  1. Configure the web filter profile

 

config webfilter profile
    edit "webfilter-demo"
        set options block-invalid-url
config web
    set bword-table 1
    set urlfilter-table 1
    set blacklist enable
end
next
end

 

  1. To use the web filter profile in a security policy from  CLI.

 

config firewall security-policy
    edit 1
        set name "policy-demo-1"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set webfilter-profile "webfilter-demo"
        set app-category 15 25
    next
end

 

  1. Configure SSL Inspection & Authentication Policy from CLI:

 

config firewall policy

    edit 1

        set name "ssl-inspection-policy-demo"

        set srcintf "port2"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

        set ssl-ssh-profile "certificate-inspection"

    next

end

 

 

  1. Create a Central SNAT policy from CLI:

 

config firewall central-snat-map

    edit 1

        set srcintf "port1"

        set dstintf "port2"

        set orig-addr "all"

        set dst-addr "all"

    next

end