fortinet 201 fg web filtering

5/24/2018 Fortinet 201 FG Web Filtering

1/30

1

2013 Fortinet Inc. All rights reserved.

The information contained herein is subject to change without notice. No part of this publication including text, examples, diagramsor illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical

or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D

FortiGate Multi-Threat Security

Systems I

Module 9: Web Filtering


2/30

2

Module Objectives

By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device

Create web content and URL filters

Configure FortiGuard Web Filtering

Configure FortiGuard Web Filtering exemptions and rating overrides

Define firewall policies using web filter profiles

Explain the differences between various web filter modes


3/30

3

Web Filtering

Means of controlling the web content that a user is able to view Preserve employee productivity

Prevent network congestion where valuable bandwidth is used for non-business

purposes

Prevent loss or exposure of confidential information

Decrease exposure to web-based threats

Limit legal liability when employees access or download inappropriate or offensive

material

Prevent copyright infringement caused by employees downloading or distributing

copyrighted materials

Prevent children from viewing inappropriate material


4/30

4

Proxy-Based Web Filtering

Proxy based solution that communicates between client and server Inspects full URL

Allows for customizable block pages to display when sites are

prevented

Most resource intensive option Lowest throughput

Has the Most options available inAdvancedsection


5/30

5

Proxy-Based Web Filtering

Select inspection modein web filter profile


6/30

6

Flow-Based Web Filtering

Non-proxy solution that uses IPS engine to perform inspection High throughput

Inspects full URL

FortiGuard Web Filtering override will not apply when flow-based

inspection is enabled Only a fewAdvancedoptions available

Not as flexible as proxy-based

Allow, Monitor, BlockONLY

Warn andAuthenticate not possible

Overrides not possible


7/30

7

Flow-Based Web Filtering

Select inspection mode in web filter profile


8/30

8

DNS-Based Web Filtering

DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server

Very lightweight

SSL inspection never required

Cannot inspect URL, only hostname (DNS)

Supports URL Filtering and FortiGuard Category only

No individual block pages, can redirect to a portal

Web site access by IP means no DNS lookup


9/30

9

DNS-Based Web Filtering

Select inspection mode in web filter profile


10/30

10

When Does Filtering Activate?

www.acme.com

DNS Request

DNS Response

!

HTTP GET

!HTTP 200

TCP 3-Way Handshake


11/30

11

HTTP Inspection Order

Virus Scan

Advanced

Filter

Content

Filter

FortiGuard

Filter

Web URL

Filter

Block Page

EXEMPT (from ALL further inspection) Block Page

Block Page

Block Page

Block Page Display Page

URLExempt

Block Allow

Block

Allow

AllowBlock

Block

Block

Allow

Allow


12/30

12

Types of Web Filtering

Proxy-Based Highly secure

Traffic is cached

Flow-Based

High throughput

No caching

Not as secure

DNS-Based

Very lightweight

Hostname filtering only

No advanced options, URL and FortiGuard only


13/30

13

Web Content Filtering

Create Pattern list inthe CLI

Drugs

Score=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

Block or Exempt

www.acme.com

Allow or block web pages

containing specific words orpatterns

Wildcards or regular

expressions used to

define patterns

Scores for matched patternsare added

If greater than threshold,

FortiGate unit performs

configured action

If pattern appearsmultiple times on web

page, score is only

counted once


14/30

14

Web URL Filtering

Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns

If no URL match on list, go on to next enabled check

Possible web URL filter actions are:

Allow

Block

Monitor

Exempt


15/30

15

URL: www.mypage.com/index.html

www.example.com

www.abc.com

www.mypage.com/index.html

Web URL Filtering

URL Filter list

www.mypage.com

BlockAllow

MonitorExempt


16/30

16

Forcing Safe Search

Safe Search is used by search sites to prevent explicit web sites andimages from appearing in search results

FortiGate unit rewrites the search URL to include the required codes to

enable Safe Search

Supported for Google, Bing, Yahoo! And Yandex

Does NOT force strict safe search

Youtube EDU available

Instructions for Youtube will include value to enter on FortiGate unit


17/30

17

FortiGuard Category Filter

URL: www.mypage.com

Block

Allow

Monitor

Authenticate

Categories

Warning

www.mypage.com


18/30

18


The FortiGate unit accesses the FortiGuard Distribution Server todetermine the category of a requested page

Action is taken based on selection in web filtering profile

Web filter rating determined by:

Human rater

Text analysis

Exploitation of web structure

Description of Categories can be found on FortiGuard website

http://www.fortiguard.com/static/webfiltering.html


19/30

19


Split into multiple categories and sub-categories

Layout will switch periodically as the Internet changes

New categories and sub-categories are released and compatible with

updated firmware

Older firmware has new values mapped to existing categories


20/30

20

FortiGuard Caching

Most web sites are visited over and over again FortiGate unit can remember what the response was

Caching improves performance by reducing FortiGate unit requests to

FortiGuard servers

Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached

Small amount of FortiGate unit system memory dedicated to the cache

Default is 2% used for cache, can be increased to 15% from CLI

Port 53 used for FortiGuard communicationsAlternate port number of 8888 can used

KB Article IDs: 11779, FD32121, FD30088


21/30

21

FortiGuard Usage Quotas

Category:

GamesGames Quota

Games Quota

Games Quota

Category:

Games

Category:

Games

Category:

Games

Category:

Games

Quotas allow access to specific categories for aspecific length of time (calculated separately foreach quota configured)

If authentication is enabled, quota is automatically

based on the user, otherwise IP is used

Can only apply to categories with actions: Monitor,

WarnorAuthenticate


22/30

22

Rating Submissions

Requests for rating of a web site, or to have a web sites rating

re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php


23/30

23

Rating Override

www.acme.com

Category:General Organizations

Sub-Category: Information and Computer Security

Rating override


24/30

24

Rating Override

Can override the rating applied to a hostname by FortiGuardSubscription Services

Hostname reassigned to a completely different category and uses that action

Override applies to FortiGate unit only

Changes not submitted to FortiGuard Subscription Services

Hostnames only

google.com

www.google.com

www.google.com/index.html


25/30

25

Rename and deletion of sub-categories only in CLI

config webfilter ftgd-local-catdelete

rename to

Local Categories


26/30

26

Warning Action

Action = Warning (right click in the GUI)

Web Filtering Warning Page


27/30

27

Authenticate Action

www.hackthissite.org

Marketing


28/30

28

Web Filter Profiles

Web filtering,

FortiGuard web filteringand Advanced Filter

options enabled

through web filtering

profiles

Profile in turn applied to

firewall policy

Any traffic being

examined by the

policy will have the

web filtering

operations applied

to it


29/30

29

Labs

Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering


30/30

30

Classroom Lab Topology

fortinet 201 fg web filtering

Documents