Setting Web Filter Exceptions in Fortigate

 

Happy Thursday! Here's a quick tutorial on setting URL filtering exceptions in Fortigate. I wanted to do an article on this because I found that the process is not very intuitive or straight forward.

Given that your or your client's organization have a web filter enabled, you will need to create an exception for certain URLs that you need to access if they belong to a category that is being blocked by your web filter (common categories include pornography, guns and weapons, violence, etc.).

You can navigate to your web filter settings by going to Security Profiles in the left pane and clicking on Web Filter.

 

As you can see in the above photo, the "default" web filter is being used by different firewall policies based on the number 2 in the references column (meaning that that web filter is being referenced by two firewall policies). If you were to hover or click on the numeral 2, you would see what policies are utilizing this web filter.

Click into your web filter, and you can identify the categories that are being blocked (as shown in the below picture).

 

You will need to turn on URL filter to allow for more granular definition of which URLs are allowed.

 

 

From here you will want to click "Create New" to create an URLs that will be allowed. In this process you will need to create two rules, one with wildcard character in the prefix, and one with the wildcard character in the suffix. In our example we will use guitarcenter.com (because it's not offensive lol).

Here it is with the wildcard in the prefix. It is important that the highlighted green options be selected as they are in these photos. Part of the reason for this is the order of rule processing. As these exceptions are processed before the broader categories for web filtering (like the broader category of pornography), selecting "Exempt" will tell the Fortigate that these URLs do not need to go through the broad category rule processing and they will be escorted through as allowed URLs.

 

Here it is with the wildcard in the suffix as well.

 

 Here's how your rules will look after they are complete. You can now test by clicking "ok" on the web filter to save these rules, then visiting the web site (while passing through the Fortigate) and navigating through different menu options and sublinks to make sure that full navigation is successful.

Thanks for reading! I hope this saves you a support call to Fortigate and maybe an hour of time!