How to Block Websites on Fortigate Firewall

FortiGate Web Filtering: Core Concepts

FortiGate’s Web Filter engine inspects HTTP/HTTPS traffic and applies rules based on:

1. Static URL Filter
   • Matches explicit URL patterns or domains you specify (e.g., facebook.com, *.torrent*).
   • Actions: Block, Allow, or Exempt (bypass further inspection).
2. FortiGuard Category-Based Filter
   • Uses Fortinet’s cloud-based categorization (Social Media, Gambling, Malware, etc.).
   • Actions: Monitor, Block, or Warning.
3. Web Content Filter
   • Examines page content for blacklisted keywords or regular expressions.
4. Web Script Filter
   • Controls Java applets, ActiveX, cookies, and other client-side scripts.

The processing order is:

1. Static URL Filter
2. FortiGuard Category Filter
3. Web Content Filter
4. Web Script Filter
5. Antivirus (proxy-based scanning).

By combining these layers, FortiGate can precisely block known bad sites while still allowing legitimate traffic.

Method 1: GUI Configuration

1. Create or Edit a Web Filter Profile

1. Log in to your FortiGate web console (https://<firewall-ip>).
2. Go to Security Profiles → Web Filter.
3. Click Create New (or select an existing profile to edit).
4. In the profile editor:
   • Name: e.g., Block-Social-Media
   • Inspection Mode: choose Proxy (full content inspection) or Flow (lighter, faster) depending on performance needs.

2. Configure Static URL Filter

1. Scroll to Static URL Filter, enable URL Filter, and click Create New.
2. In the New URL Filter dialog:
   • Type: Wildcard (for *.facebook.com/*) or Simple (exact matches).
   • URL: e.g., *.facebook.com/*
   • Action: Block
   • Status: Enable
3. Repeat for each site or pattern you want to block (e.g., *.youtube.com/*).

3. Configure FortiGuard Category Filter

1. In the same profile, enable FortiGuard Web Filter.
2. Under Static/Category, scroll to Category Based Filter, then choose the action per category:
   • Social Media → Block
   • Gambling → Block
   • Malware → Block
3. Click OK to save the profile.

4. Apply the Web Filter Profile to a Firewall Policy

1. Navigate to Policy & Objects → IPv4 Policy (or IPv6 Policy).
2. Edit (or create) the policy that handles outbound web traffic (e.g., WAN → LAN).
3. In the Security Profiles section:
   • Enable Web Filter, and select your newly created profile (Block-Social-Media).
4. Make sure SSL Inspection is enabled if you want to filter HTTPS traffic (full HTTPS proxy).
5. Click OK.

Tip: Position this policy above any broader “allow all” rules so your block list is matched first.

Method 2: CLI Configuration

Scripted or bulk rollouts often leverage the CLI. Below are the core commands for FortiOS 6.x–7.x.

1. Create a Web Filter Profile & Static URL Filter

config webfilter profile
    edit "Block-Websites"
        set inspection-mode proxy  # or flow based on performance needs
        config ftgd-wf
            set options block social-media gambling
        end
        config static-url
            edit 1
                set url "*.facebook.com/*"
                set type wildcard
                set action block
            next
            edit 2
                set url "*.youtube.com/*"
                set type wildcard
                set action block
            next
        end
    next
end

2. Apply the Profile to a Firewall Policy

config firewall policy
    edit 10               # or the ID of your outbound web policy
        set name "Block-Web-Outbound"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set webfilter-profile "Block-Websites"
        set ssl-ssh-profile "deep-inspection"  # if filtering HTTPS
    next
end

• set utm-status enable turns on UTM features.
• set ssl-ssh-profile points to an SSL inspection profile; necessary for HTTPS content inspection.

Method 3: Blocking by DNS Filter (Optional)

If you prefer blocking at DNS resolution rather than inline URL matching, you can use FortiGate’s DNS Filter:

config dnsfilter profile
    edit "DNS-Block"
        config filter-entry
            edit 1
                set domain "facebook.com"
                set action block
            next
        end
    next
end

config firewall policy
    edit 20
        set name "DNS-Filter-Policy"
        set srcintf "lan1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "DNS"
        set utm-status enable
        set dnsfilter-profile "DNS-Block"
    next
end

Note: DNS filtering only blocks by domain name and does not account for specific URLs or paths.

Best Practices & Troubleshooting

1. Policy Ordering
   • Always place restrictive policies (URL blocks) above general allow rules.
2. Log & Monitor
   • Enable logging on your block policies: set logtraffic all
   • Check Log & Report → Web Filter to see blocked attempts.
3. HTTPS Inspection
   • Without SSL deep inspection, you won’t see full URLs—only domain names.
   • Deploy certificates to endpoints to avoid trust warnings.
4. Wildcard Usage
   • Use wildcards carefully; overly broad patterns can unintentionally block subdomains.
5. Session Flush
   • After major changes, clear existing sessions to apply new rules immediately: execute clear session all
6. Static URL vs. Category
   • If you Allow a URL in the static list, FortiGate still checks its FortiGuard category next.
   • If you want to bypass all further checks, use Exempt instead of Allow .
7. Backup Configurations
   • Always back up your configuration before making sweeping changes:

execute backup config flash backup-before-webfilter.conf

Please follow and like us: