DescriptionThis articles describes how to customize which security profiles in the URL filter get bypassed by the "Exempt" action.SolutionThrough CLI execute:
# config webfilter urlfilter
show
"show" will display each configured URL filter associated with a profile:# show
config webfilter urlfilter
edit 1
set name "default"
config entries
edit 1
set url "*twitter.com"
set type wildcard
set exempt fortiguard
next
end
next
edit 2
set name "monitor-all"
config entries
edit 1
set url "testing123.com"
next
end
next
end
There are 2 URL filters, "*twitter.com" associated to the profile "default" and "testing123" associated to the profile "monitor-all".
The "*twitter.com" filter has a "set exempt fortiguard" field which doesn't exist in "testing123" filter.
Note: this is because "show" only displays values that are different from the default values.
If "show full-configuration" is used:
# show full-configuration
config webfilter urlfilter
edit 1
set name "default"
set comment ''
set one-arm-ips-urlfilter disable
set ip-addr-block disable
config entries
edit 1
set url "*twitter.com"
set type wildcard
set action exempt
set status enable
set exempt fortiguard
set referrer-host ''
next
end
next
edit 2
set name "monitor-all"
set comment ''
set one-arm-ips-urlfilter disable
set ip-addr-block disable
config entries
edit 1
set url "testing123.com"
set type simple
set action exempt
set status enable
set exempt av web-content activex-java-cookie dlp fortiguard range-block all
set referrer-host ''
next
end
next
end
By default the action "exempt" bypasses several security profiles, as seen in filter "testing123.com".
In the case of "*twitter.com" (previously modified) only FortiGuard is bypassed.
To customize these values:
# edit 2
Entry 2 is the number identifying the profile "monitor-all".
Then use:
# config entries
# show
All the URL filters within the profile selected will be shown, in the example "monitor-all":
# config entries
edit 1
set url "testing123.com"
next
end
To
see the options of a URL filter e.g. "testing123" with the id of 1,
use the following command:
# edit 1
# set exempt ?
"?" is used to show all the available options:# set exempt
av Antivirus filtering.
web-content Web filter content matching.
activex-java-cookie ActiveX, Java, and cookie filtering.
dlp DLP scanning.
fortiguard FortiGuard web filtering.
range-block Exempt range block feature.
pass Pass single connection from all.
all Exempt from all.
To save the changes, type "end".
To view the changes, type:# set exempt av
# end
# show
config webfilter urlfilter
edit 2
set name "monitor-all"
config entries
edit 1
set url "testing123.com"
set exempt av
next
end
next
end
In
summary:
# config webfilter urlfilter
Enter
the webfilter profile for the static URL:
# edit x ("x" is the table number of the webfilter profile.)
Then use:
# config entries
# edit y ("y" is the table number of the URL filter)
# set exempt
To
save the changes type "end".
