Why we need Web filtering?
1- Block access to inappropriate contents (porn sites)
2- Block access to malicious websites which may cause data loss or data leak.
3- Block access to Band consuming /bandwidth wasting sites (streaming sites).
What we can filter on (Based on)?
Web filters are applied in the following order:
1- URL list
2- FortiGuard Web Filtering Categories.
3- Web content filtering.
4- Web script filter
5- Antivirus scanning
Web filtering Actions:
1- Allow: Permit access to the website
2- Monitor: Permit and logs access to the website.
3- Warning: Displays a message to the user, allowing him to continue or not.
Warning interval:
the time interval when the warning page appears again after the user chooses to
continue (allow access time)
4- Block : Prevent access to the website.
5- Authenticate: Requires the user to authenticate with the FortiGate in order to allow access to the website.
1- URL list "static URL filter".
Mainly it is used to block certain websites and allowing the rest of websites.
The URL list saved on the FortiGate device itself and does not need a connection to FortiGuard Servers, so Static URL filter→ doesn’t need a valid FortiGuard license.
For example: this list blocks only cnn.com/videos and allow the rest of websites.
There are three types of URL that can be defined.
A) Simple:
URL Filter entry must be in the format of a standard URL.
Also, can include sub-domains and paths.
For example: www.cnn.com
- URL entry: cnn.com ----->Full Domain
- URL entry: cnn.com/videos ---->Path
Note: To match a URL's path (e.g., 'cnn.com/videos'), SSL Deep Inspection must be configured within the Firewall Policy (assuming the traffic is encrypted HTTPS).
B) Wildcard: A wildcard can be used to include one or more URLs to a simple URL
For example:
- URL: *.fortinet.com (everything before ".fortinet.com" will match this rule, like support.fortinet.com)
- URL: www.fortinet.com/* (everything after "www.fortinet.com/" will match this rule, like www.fortinet.com/contact)
C) Regular Expressions (regex): A wildcard can be used to include one or more URLs to a simple URL.
For example:-
- URL: *.cnn.com →(everything before ".cnn.com" will match this rule, like edition.cnn.com)
- URL: www.cnn.com/* (everything after "www.cnn.com/" will match this rule, like www.cnn.com/videos)
"/i" symbols means: makes the pattern case sensitive.
For example:
"/CNN/i" → will not match with "cnn"
"^" symbols means: at the beginning of the string.
For example:
"^cn" →will match 'cnn.com'
Block invalid URL
Block web sites whose SSL certificate's CN field does not contain a valid domain name.
Example:
When a visited URL that contains a "_", the site will be blocked with "block-invalid-url".
This option also blocks URLs that contains spaces. If there is a space in the URL, it must be written as %20 in the URL path.
As per RFC 952, " A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). "
Block malicious URLs discovered by FortiSandbox
Block malicious URLs that FortiSandbox finds.
Forti cloud Sandbox free for use.
2. FortiGuard Web Filtering Categories.
1- the URL is sent to the nearest FortiGuard server.
2- The URL category or rating is returned.
3- If the category is set blocked, the FortiGate shows a block replacement message instead of the request page.
4- If the category is not blocked, the request page is sent to the user as normal.
FortiGuard Web Filtering Categories need a connection to FortiGuard Servers to work, So, this will need a valid FortiGuard license
How To look up a URL rating/Category
1- FortiGuard website (https://www.fortiguard.com/webfilter)
2- Security Profiles -> Web Rating Overrides -> Create New -> URL -> Lookup Rating
Usage quota
Quotas can be set for the Monitor, Warning, or Authenticate actions.
Once the quota is reached, the traffic is blocked and the replacement message page displays.
Quotas allow access for a specified length of time or a specific bandwidth, and are calculated separately for each user. Quotas are reset daily at midnight.
Allow users to override blocked categories
Allow users with valid credentials to override blocked categories with another web profile for a certain time interval.
✓ Select users’ group that can override and the new allowed web profile.
✓ Select IP or ASK and define the access time interval.
✓ Validate user credentials and if requested to define the allowed access time interval.
Web Category override.
Overrides the original FortiGuard category for the URL with either a different FortiGuard category, or a custom local category.
ver.jpg)
Example: google.com URL, Cat. (General Interest-Business) override with Custom local Cat. (Block URLs).
Note: Web rating is only on host names no URLs or Wildcards are allowed.
(Disable) Action: New Local Category actions
Remove the category from the web filter profile.
Rating Options.
Allow websites when a rating error occurs
If you do not have a FortiGuard license, or you have a connection problem with FortiGuard Servers, but you have enabled FortiGuard Web Filtering Categories services, then you will get a rating error message.
By default, this option is disabled, and if an error rating occurs, the FortiGate will block the website.
Rate URLs by domain and IP Address
By default, this option is disabled and FortiGate only sending domain information to FortiGuard for rating.
If this option enabled, the FortiGate sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard for the rating.
The FortiGuard server might return a different category of IP address and URL domain.
If they are different, the FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision.
Additional Proxy-Based Web Filtering Features
These advanced filters are only available in proxy-based inspection mode.
1- Search Engines:
Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex
By enable safe search mode in search engines to filter search results.
Restrict YouTube Access
YouTube Restricted Mode is an optional setting that filters out potentially mature videos while leaving a large number of videos still available.
Strict: Strict Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.
Moderate: this setting is similar to Strict Mode but makes a much larger collection of videos available.
Log all search keywords
This setting logs all search phrases.
2- Proxy Options
Restrict Google account usage to specific domains
block access to Google accounts and services, while allowing access with specific domains in the exception list.
HTTP POST Action
HTTP POST is the command used by the browser when you send information, such as a completed form or a file you are uploading to a web server.
This option is used to restrict users from sending information and files to web servers.
The action options are allow or block. The default is allow.
Remove Java Applets, Remove ActiveX and Remove Cookies
Filter cookies, Java applets, and ActiveX scripts from web traffic.
If these filters are enabled, websites using Java applets, ActiveX, and cookies might not function properly.
3. Web content filtering.
IT control access to web content by blocking webpages containing specific words or patterns.
You can specify words, phrases, patterns, wildcards, and regular expressions to match content on webpages.
Trouble shooting
Why the Web Filter Not applied?
A- Web filtering profile server multiple functions. So, if you have many of these functions enabled, you need to check by the following order
1- Local Static URL Filter.
2- FortiGuard Category Filter.
3- Advanced Proxy-Based Filters
B- You create a Security Web Filter Profile, but not attached to the Firewall Policy.
C- Some Web filtering function need Deep or Full SSL inspection to work.
Examples:
1- Static URL-path {www.cnn.com/videos}.
2- Web content filtering.
3- Search engines filtering {Safe Search and Restricted access to YouTube}.
D- FortiGuard Category Filter required alive connection to FortiGuard Servers.
E- Check Web Filter Logs and Reports.
No comments:
Post a Comment