Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akamath
Staff
Staff

Created on ‎10-05-2020 10:30 PM Edited on ‎03-14-2025 12:24 AM By Community Manager

Article Id 196049

Technical Tip: Web filter profiles in NGFW policy mode

Description


This article describes how to configure a Web filter in NGFW policy mode and how to use it in security policies.

Scope

 

FortiGate.

 

Solution

 

Only Static URL Filter options can be configured.

 

In Policy Base Mode:

  1. Security Policy.
  2. SSL Inspection & Authenticat.ion Policy.
  3. Central NAT Policy


To create a web filter profile when the FortiGate is in policy mode from GUI.

  1. Go to Security Profiles -> Web Filter and select 'Create New'.
  2. Enter a name for the profile and configure the remaining settings as required.

enable-proxy-mode.gif

 

 
  1. Select 'OK'.

To apply a web filter profile in a security policy from GUI.

  1. Go to Policy & Objects -> Firewall Policy and select 'Create New'.
  2. Enter a name for the policy, and configure the remaining settings as required.
  3. Under Security Profiles, enable Web Filter and select the web filter.
  4. Navigate to SSL Inspection & Authentication and create a policy with certificate inspection or deep inspection.
 

video.gif

 

If Central Nat is enabled, create it. select Policy & Objects -> Central SNAT.

 

central_nat_policy.png

 

 

CLI commands:

 

  1. Web filter:

 

config webfilter urlfilter

    edit 1
        set name "Auto-webfilter-urlfilter_bwv7i1r83"
config entries
    edit 1
        set url "*.bot*.com"
        set type wildcard
        set action block
    next
end
next
end

 

  1. Configure content filters.

 

config webfilter content
    edit 1
        set name "Auto-webfilter-content_mqqyssuxd"
config entries
    edit "gambling"
    set status enable
next
    edit "news"
        set status enable
    next
edit "test"
    set status enable
next
    edit "example"
        set status enable
    next
end
next
end

 

  1. Configure the web filter profile

 

config webfilter profile
    edit "webfilter-demo"
        set options block-invalid-url
config web
    set bword-table 1
    set urlfilter-table 1
    set blacklist enable
end
next
end

 

  1. To use the web filter profile in a security policy from  CLI.

config firewall security-policy
    edit 1
        set name "policy-demo-1"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set webfilter-profile "webfilter-demo"
        set app-category 15 25
    next
end

 

  1. Configure SSL Inspection & Authentication Policy from CLI:

 

config firewall policy

    edit 1

        set name "ssl-inspection-policy-demo"

        set srcintf "port2"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

        set ssl-ssh-profile "certificate-inspection"

    next

end

 

  1. Create a Central SNAT policy from CLI:

 

config firewall central-snat-map

    edit 1

        set srcintf "port1"

        set dstintf "port2"

        set orig-addr "all"

        set dst-addr "all"

    next

end

Labels:
5908
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.