Web Filtering: Module Objectives by The End of This Module Participants Will Be Able To

Course 201 - Administration, Content Inspection and VPNs Web Filtering
Web Filtering
Module 9
2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
By the end of this module participants will be able to:

Identify the web filtering mechanisms used on the FortiGate device
Create web content and URL filters
Configure FortiGuard Web Filtering
Configure FortiGuard Web Filtering exemptions and rating overrides
Define firewall policies using web filter profiles
01-50000-0201-20130215-C
Web Filtering
Means of controlling the web content that a user is able to view

Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material
Proxy-Based Web Filtering
Proxy based solution that communicates between client and server

Inspects full URL
Allows for customizable block pages to display when sites are
prevented
Most resource intensive option
Lowest throughput
Most options available in Advanced section
01-50000-0201-20130215-C
Proxy-Based Web Filtering
Select inspection mode in web filter profile
Flow-Based Web Filtering
Non-proxy solution that uses IPS engine to perform inspection

High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled
Few Advanced options available
01-50000-0201-20130215-C
Flow-Based Web Filtering
DNS-Based Web Filtering
DNS-proxy solution that uses DNS queries to decide access

DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP means no DNS lookup
01-50000-0201-20130215-C
DNS-Based Web Filtering
When Does Filtering Activate?
www.acme.com
DNS Request
DNS Response
!
TCP 3-Way Handshake
HTTP GET
! HTTP 200
10
01-50000-0201-20130215-C
HTTP Inspection Order
EXEMPT (from ALL further inspection) Block Page
Exempt Block
URL
Web URL Allow FortiGuard
Filter Filter
Block Allow
Block Page
Allow
Block Advanced Content
Block Page
Filter Filter
Allow Block
Block Page
Allow
Block
Block Page Virus Scan Display Page
11
Types of Web Filtering
Proxy-Based
Highly secure
Traffic is cached
Flow-Based
High throughput
No caching
Not as secure
DNS-Based
Very lightweight
Hostname filtering only
No advanced options, URL and FortiGuard only
12
01-50000-0201-20130215-C
Web Content Filtering
Allow or block web pages Drugs

Score=10
containing specific words or Create Pattern list in
patterns the CLI Pharmacy
Wildcards or regular Score=5
expressions used to
Prescription
define patterns Score=5
Scores for matched patterns
are added Threshold=18
If greater than threshold, 10 +5 +5 =20
FortiGate unit performs
configured action Block or Exempt
If pattern appears
multiple times on web
page, score is only
counted once
www.acme.com
13
Web URL Filtering
Control web access by allowing or blocking URLs

Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check
Possible web URL filter actions are:
Allow
Block
Monitor
Exempt
14
01-50000-0201-20130215-C
Web URL Filtering
URL Filter list www.example.com
URL: www.mypage.com/index.html www.abc.com
www.mypage.com/index.html
Block
Allow
Monitor
Exempt
www.mypage.com
15
Forcing Safe Search
Safe Search is used by search sites to prevent explicit web sites and
images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
Supported for Google, Bing and Yahoo!
Does not force strict safe search
Youtube EDU available
Instructions for Youtube will include value to enter on FortiGate unit
16
01-50000-0201-20130215-C
FortiGuard Category Filter
URL: www.mypage.com Categories
Allow
Block
Monitor
Warning
Authenticate
www.mypage.com
17
The FortiGate unit accesses the FortiGuard Distribution Server to

determine the category of a requested page
Action is taken based on selection in web filtering profile
Web filter rating determined by:
Human rater
Text analysis
Exploitation of web structure
18
01-50000-0201-20130215-C
Split into multiple categories and sub-categories

Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with
updated firmware
Older firmware has new values mapped to existing categories
19
FortiGuard Caching
Most web sites are visited over and over again

FortiGate unit can remember what the response was
Caching improves performance by reducing FortiGate unit requests to
FortiGuard servers
Cache checked before sending request to FortiGuard server
TTL settings controls the number of seconds query results are cached
Small amount of FortiGate unit system memory dedicated to the cache
Default is 2% used for cache, can be increased to 15% from CLI
Port 53 used for FortiGuard communications
Alternate port number of 8888 can used
KB Article IDs: 11779, FD32121, FD30088

20
01-50000-0201-20130215-C
FortiGuard Usage Quotas
Category:
Games Quota Games
Games Quota Quotas allow access to specific categories for a

specific length of time (calculated separately for
each quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Games Quota Can only apply to categories with actions: Monitor,
Warn or Authenticate
21
Rating Submissions
Requests for rating of a web site, or to have a web sites rating

re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php
22
01-50000-0201-20130215-C
Rating Override
Rating override Category:

General Organizations
www.acme.com
Sub-Category: Information and Computer Security
23
Rating Override
Can override the rating applied to a hostname by FortiGuard

Subscription Services
Hostname reassigned to a completely different category and uses that action
Override applies to FortiGate unit only
Changes not submitted to FortiGuard Subscription Services
Hostnames only
google.com
www.google.com
www.google.com/index.html
24
01-50000-0201-20130215-C
Local Categories
Rename and deletion of sub-categories only in CLI

config webfilter ftgd-local-cat
delete <cat_name>
rename <cat_name> to <cat_name>
25
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page
26
01-50000-0201-20130215-C
Authenticate Action
Marketing
www.hackthissite.org
27
Web Filter Profiles
Web filter profile:

Web filtering, FortiGuard
web filtering and advanced
filtering options enabled
through web filtering
profiles
Profile in turn applied to
firewall policy
Any traffic being
examined by the policy
will have the web
filtering operations
applied to it
28
01-50000-0201-20130215-C
Labs
Lab 1: Web Filtering

Ex 1: FortiGuard Web Filtering
29
Classroom Lab Topology
30
01-50000-0201-20130215-C

Web Filtering: Module Objectives by The End of This Module Participants Will Be Able To

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Filtering: Module Objectives by The End of This Module Participants Will Be Able To

Uploaded by

Copyright:

Available Formats

Course 201 - Administration, Content Inspection and VPNs Web Filtering

By the end of this module participants will be able to:

Means of controlling the web content that a user is able to view

Proxy-Based Web Filtering

Proxy based solution that communicates between client and server

Proxy-Based Web Filtering

Select inspection mode in web filter profile

Flow-Based Web Filtering

Non-proxy solution that uses IPS engine to perform inspection

Flow-Based Web Filtering

Select inspection mode in web filter profile

DNS-Based Web Filtering

DNS-proxy solution that uses DNS queries to decide access

DNS-Based Web Filtering

Select inspection mode in web filter profile

When Does Filtering Activate?

HTTP Inspection Order

EXEMPT (from ALL further inspection) Block Page

Types of Web Filtering

Web Content Filtering

Allow or block web pages Drugs

Web URL Filtering

Control web access by allowing or blocking URLs

Web URL Filtering

URL Filter list www.example.com

URL: www.mypage.com/index.html www.abc.com

Forcing Safe Search

FortiGuard Category Filter

URL: www.mypage.com Categories

FortiGuard Category Filter

The FortiGate unit accesses the FortiGuard Distribution Server to

FortiGuard Category Filter

Split into multiple categories and sub-categories

Most web sites are visited over and over again

KB Article IDs: 11779, FD32121, FD30088

FortiGuard Usage Quotas

Games Quota Quotas allow access to specific categories for a

Requests for rating of a web site, or to have a web sites rating

Rating override Category:

Can override the rating applied to a hostname by FortiGuard

Rename and deletion of sub-categories only in CLI

Action = Warning (right click in the GUI)

Web Filtering Warning Page

Web Filter Profiles

Web filter profile:

Lab 1: Web Filtering

Classroom Lab Topology

You might also like