FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vhitnal
Staff
Staff
Article Id 197284

Description
This article describes how to enable explicitly custom categories for web filter profiles, SSL/SSH inspection profiles, and proxy addresses.

Solution
In all web filter profiles, local and remote categories have to be manually enabled.
When a new threat feed connector or web rating overrides in a custom category are created, it will not impact any web filters until the category's action is changed to Monitor, Block, Warning, or Authenticate in the specific web filter's settings.
If a URL is in multiple enabled categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.

In SSL/SSH inspection profiles, local and remote categories have be explicitly selected to be exempt from SSL inspection.

In proxy addresses, local and remote categories have be explicitly selected as URL categories for them to apply.
In both settings, if a URL is in multiple selected categories, the order of precedence is local categories, then remote categories, and then FortiGuard categories.


Web filter profiles.

In this example, www.fortinet.com is added to the Seriously custom category.
The Seriously category action is set to Monitor, overriding the action applied to the Information Technology category and to any remote categories that also contain the URL.
An external threat feed is also connected, and it's action is set to Block, overriding the default FortiGuard category actions for URLs in multiple categories.


To use local and remote categories in a web filter profile from GUI:
1) Go to Security Profiles -> Web Rating Overrides and create a custom category and add URLs to it.



 
 
2) Go to Security Fabric -> External Connectors and create a FortiGuard Category Threat Feed external connector to import an external block list.
 
 

 
 
3) Go to Security Profiles -> Web Filter and create or edit a web filter profile.
4) Set Feature to Proxy-based
5) Enable FortiGuard category based filter and change the action for the Local Categories and Remote Categories entries as needed.
 
 
 
 
 
6) Configure the remaining settings as required.
7) Select 'OK'.
 
Note.
When the action for a local or remote category is Allow, the category is disabled. The next category's action, in the order of preference, will be applied.

To use local and remote categories in a web filter profile from CLI:
 
1)    Create a custom category and add URLs to it.
# config vdom
   edit root
        # config webfilter ftgd-local-cat
            edit "Seriously"
                set id 140
            next
        end
        # config webfilter ftgd-local-rating
            edit "www.fortinet.com"
                set rating 140
            next
        end
   next
end
2) Create a FortiGuard Category Threat Feed external connector to import an external blocklist.
# config global
    # config system external-resource
        edit "OnAworkComputer"
            set category 192
            set resource "https://192.168.0.5/lists/blocklist.txt"
        next
    end
 end
3) Create or edit a web filter profile. See FortiGuard filter for details.
 
Local categories have an ID range of 140 to 191. Remote categories have an ID range of 192 to 221.
# config vdom
    edit root
        # config webfilter profile
            edit "WebFilter-1"
                set feature-set proxy
                # config ftgd-wf
                    unset options
                    # config filters
                        edit 12
                            set category 12
                            set action warning
                        next
                        ...
                        edit 23
                            set action warning
                        next
                        edit 140
                            set category 140
                        next
                        edit 192
                            set category 192
                            set action block
                        next
                    end
                end
            next
        end
    next
end
When a filter is added for the local and remote categories (140 and 192 in this example), the default action is monitor.
 
SSL/SSH inspection profiles.

To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection from GUI:
 
1) Go to Security Profiles -> SSL/SSH Inspection.
2) Create a new profile or edit an existing one.
3) Ensure that Inspection method is Full SSL Inspection.
4) In the Exempt from SSL Inspection section, add the local and remote categories to the Web categories list.
 
 

 
 
5) Configure the remaining settings as required, then select 'OK'.
 
To use local and remote categories in an SSL/SSH inspection profile to exempt the categories from SSL inspection from CLI:
# config firewall ssl-ssh-profile
    edit "SSL_Inspection"
        # config https
            set ports 443
            set status deep-inspection
        end
        ...
        # config ssl-exempt
            edit 1
                set fortiguard-category 140
            next
            edit 2
                set fortiguard-category 194
            next
        end
    next
end
Proxy addresses.
 
To use local and remote categories in a proxy address from GUI:
1) Go to Policy & Objects -> Addresses and select 'Create New' -> Address, or edit an existing proxy address.
2) Set Category to 'Proxy Address'.
3) Set Type to URL Category.
4) In the URL Category, add the local and remote categories.
 
 
 
 
5) Configure the remaining settings as required, then select 'OK'.

To use local and remote categories in a proxy address from CLI:

# config firewall proxy-address
    edit "proxy_override"
        set type category
        set host "all"
        set category 140 194
        set color 23
    next
end
Contributors