-
1
2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D
FortiGate Multi-Threat Security
Systems I
Module 9: Web Filtering
-
2
Module Objectives
By the end of this module participants will be able to:
Identify the web filtering mechanisms used on the FortiGate device
Create web content and URL filters
Configure FortiGuard Web Filtering
Configure FortiGuard Web Filtering exemptions and rating overrides
Define firewall policies using web filter profiles
Explain the differences between various web filter modes
-
3
Web Filtering
Means of controlling the web content that a user is able to view
Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive material
Prevent copyright infringement caused by employees downloading or distributing copyrighted materials
Prevent children from viewing inappropriate material
-
4
Proxy-Based Web Filtering
Proxy based solution that communicates between client and server
Inspects full URL
Allows for customizable block pages to display when sites are prevented
Most resource intensive option
Lowest throughput
Has the Most options available in Advanced section
-
5
Proxy-Based Web Filtering
Select inspection mode in web filter profile
-
6
Flow-Based Web Filtering
Non-proxy solution that uses IPS engine to perform inspection
High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based inspection is enabled
Only a few Advanced options available
Not as flexible as proxy-based
Allow, Monitor, Block ONLY
Warn and Authenticate not possible
Overrides not possible
-
7
Flow-Based Web Filtering
Select inspection mode in web filter profile
-
8
DNS-Based Web Filtering
DNS-proxy solution that uses DNS queries to decide access
DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP means no DNS lookup
-
9
DNS-Based Web Filtering
Select inspection mode in web filter profile
-
10
When Does Filtering Activate?
www.acme.com
DNS Request
DNS Response
!
HTTP GET
! HTTP 200
TCP 3-Way Handshake
-
11
HTTP Inspection Order
Virus Scan
Advanced
Filter
Content
Filter
FortiGuard
Filter
Web URL
Filter
Block Page
EXEMPT (from ALL further inspection) Block Page
Block Page
Block Page
Block Page Display Page
URL Exempt
Block Allow
Block
Allow
Allow Block
Block
Block
Allow
Allow
-
12
Types of Web Filtering
Proxy-Based
Highly secure
Traffic is cached
Flow-Based
High throughput
No caching
Not as secure
DNS-Based
Very lightweight
Hostname filtering only
No advanced options, URL and FortiGuard only
-
13
Web Content Filtering
Create Pattern list in
the CLI
Drugs Score=10
Pharmacy Score=5
Prescription Score=5
Threshold=18
10 +5 +5 =20
Block or Exempt
www.acme.com
Allow or block web pages containing specific words or
patterns
Wildcards or regular
expressions used to
define patterns
Scores for matched patterns are added
If greater than threshold,
FortiGate unit performs
configured action
If pattern appears
multiple times on web
page, score is only
counted once
-
14
Web URL Filtering
Control web access by allowing or blocking URLs
Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check
Possible web URL filter actions are:
Allow
Block
Monitor
Exempt
-
15
URL: www.mypage.com/index.html
www.example.com
www.abc.com
www.mypage.com/index.html
Web URL Filtering
URL Filter list
www.mypage.com
Block Allow
Monitor Exempt
-
16
Forcing Safe Search
Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to enable Safe Search
Supported for Google, Bing, Yahoo! And Yandex
Does NOT force strict safe search
Youtube EDU available
Instructions for Youtube will include value to enter on FortiGate unit
-
17
FortiGuard Category Filter
URL: www.mypage.com
Block
Allow
Monitor
Authenticate
Categories
Warning
www.mypage.com
-
18
FortiGuard Category Filter
The FortiGate unit accesses the FortiGuard Distribution Server to
determine the category of a requested page
Action is taken based on selection in web filtering profile
Web filter rating determined by:
Human rater
Text analysis
Exploitation of web structure
Description of Categories can be found on FortiGuard website
http://www.fortiguard.com/static/webfiltering.html
-
19
FortiGuard Category Filter
Split into multiple categories and sub-categories
Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with updated firmware
Older firmware has new values mapped to existing categories
-
20
FortiGuard Caching
Most web sites are visited over and over again
FortiGate unit can remember what the response was
Caching improves performance by reducing FortiGate unit requests to FortiGuard servers
Cache checked before sending request to FortiGuard server
TTL settings controls the number of seconds query results are cached
Small amount of FortiGate unit system memory dedicated to the cache
Default is 2% used for cache, can be increased to 15% from CLI
Port 53 used for FortiGuard communications
Alternate port number of 8888 can used
KB Article IDs: 11779, FD32121, FD30088
-
21
FortiGuard Usage Quotas
Category:
Games Games Quota
Games Quota
Games Quota
Category:
Games
Category:
Games
Category:
Games
Category:
Games
Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Can only apply to categories with actions: Monitor,
Warn or Authenticate
-
22
Rating Submissions
Requests for rating of a web site, or to have a web sites rating re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php
-
23
Rating Override
www.acme.com
Category:
General Organizations
Sub-Category: Information and Computer Security
Rating override
-
24
Rating Override
Can override the rating applied to a hostname by FortiGuard Subscription Services
Hostname reassigned to a completely different category and uses that action
Override applies to FortiGate unit only
Changes not submitted to FortiGuard Subscription Services
Hostnames only
google.com
www.google.com
www.google.com/index.html
-
25
Rename and deletion of sub-categories only in CLI
config webfilter ftgd-local-cat
delete
rename to
Local Categories
-
26
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page
-
27
Authenticate Action
www.hackthissite.org
Marketing
-
28
Web Filter Profiles
Web filtering, FortiGuard web filtering
and Advanced Filter
options enabled
through web filtering
profiles
Profile in turn applied to firewall policy
Any traffic being
examined by the
policy will have the
web filtering
operations applied
to it
-
29
Labs
Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering
-
30
Classroom Lab Topology
