How to Configure Web Filtering on the FortiGate Firewall

Configuring and applying web filtering in a FortiGate Firewall is simple enough. The exact steps will change depending on which version of the Next-Gen OS you are using in your FortiGate firewall. Here’s an overview of how the process works. 

First, ensure that the FortiGate Firewall is in Next-Gen Firewall mode. After enabling Next-Gen mode, ensure that the OS is configured to use profiles or is in profile mode. 

Once profile mode is enabled in your FortiGate Firewall, you need to create a profile for web filtering. There are various options that you can use for filtering in your FortiGate web filtering profile. We’ll discuss some of those options at a high level below, but check the documentation on FortiGate’s website for more details. 

After creating the web filtering profile, associate it with the policies for your FortiGate Firewall, and you'll be ready to go!

Configuring Web Filtering on the FortiGate Firewall: Video

In this video, CBT Nuggets trainer Keith Barker covers why you will want to filter web content in your FortiGate Firewall — and what kind of content the Next-Gen OS can filter.

Want to learn more? Check out this FortiGate Web Filtering training course with Keith Barker. 

Why is it Important to Enable Web Filtering on a FortiGate Firewall?

There are several reasons to block or filter web content on a firewall. Organizations might want to limit the content their employees can access online—and not just to prevent access to social media during work hours. The truth is that IT folk need to ensure that equipment operates properly and protects the entire network. To do that, mechanisms of control need to be put in place. 

So, why do you want to enable web filtering in a firewall?

One of the benefits of filtering web content is blocking inappropriate content in the workplace. It’s easy to point at porn as an example, but there is a lot of other content that can be offensive online. We work in diverse environments, and everyone may not be aware of content that may offend co-workers. It’s easier to nip the problem in the bud before it happens. 

Another reason to enable web filtering is to protect bandwidth in the organization. Businesses have a limited pipe coming into their buildings. There’s only so much data you can fit in that pipe, and it can get filled quickly if everyone is streaming YouTube videos or music on Spotify. 

Finally, we want to block malicious content. This makes sense from a security standpoint. We need to ensure exploits aren’t introduced into the business or sensitive data isn’t exfiltrated. 

Of course, these reasons help ensure that computers continue to work as expected in the workplace. 

What Web Traffic Can be Filtered on a FortiGate Firewall?

Now that you know why you want to filter content in a firewall, let’s discuss what content you can filter. First, you can block specific URLs. Blocklisting and allowlisting URLs are two of the original ways to block content online. 

If you want to block the Facebook website, add "facebook.com" to the blocklist. URL filtering also supports wildcards so that you can block all content from a specific domain or only specific pages from a domain. 

With Next-Gen FortiGate firewalls, we can also filter content based on content and applications. The FortiGate Next-Gen Firewall uses heuristics and AI to analyze traffic and block it based on specific criteria. 

Another option is to block content based on category. FortiGate has an extensive list of websites that are categorized based on their offerings. For instance, Facebook is categorized based on its offering of Skype, which is regarded as a telephony website. Administrators can block all social media or telephony websites in their rules. 

How to See Which Category a Website Belongs to for Category Filtering for FortiGate

After reading the section above, you may wonder how to check which category a website belongs to in the FortiGate Firewall list. FortiGate offers tools to do this, such as its Web Filter Lookup. 

In the form on that website, enter the URL of the domain in question. Then select the Fortinet OS version you are using in your Firewall and perform your search. 

FortiGate will return the results for the domain, explaining which category it is listed under in the Fortinet OS. 

Other Considerations: Next-Generation Firewall Modes 

There's one small thing to keep in mind when setting up web filtering. FortiGate devices can operate in two NGFW modes, which we touched on in the introduction. If you're not in profile mode, you may run into issues. The two modes are: 

1. Profile-based Mode: This mode uses security profiles (such as web filter profiles) that can be applied to firewall policies.

2. Policy-based Mode: In this mode, security features are applied directly within the firewall policy without using separate profiles.

The mode can be configured in the system settings, and it's crucial to ensure that the device is operating in the desired mode before proceeding with configurations. To verify you're using the mode you want, you can use CLI commands. 

To enable profile-based mode, use this: 

For policy-based mode, use this: 

Want to Learn How to Use Fortinet's FortiGate Firewall?

Web filtering is a critical feature for ensuring a secure and productive networking environment. Whether you're aiming to block inappropriate content, manage bandwidth usage, or protect your network from malicious threats, configuring web filtering on a FortiGate Firewall is a powerful way to achieve these goals. 

By leveraging Fortinet's robust Next-Gen Firewall capabilities, you can take control of your network traffic with precision and confidence. Are you ready to learn more about how to leverage Fortinet’s popular firewall platform? CBT Nuggets offers a wide range of Fortinet training courses to help you make the most out of FortiGate.

Not a CBT Nuggets subscriber? Claim your free week of training.