Configuring a protection profile Firewall Protection Profile
FortiGate Version 4.0 MR1 Administration Guide
494 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Figure 283: Protection Profile Web Filtering options (SSL content scanning and inspection)
Web Content Filter Select to filter HTTP and HTTPS web pages based on matching the
content of the web page with the words or patterns in the selected web
content filter list. For more information, see “Web content filter” on
page 552.
Web content filter list Select the web content filter list to add to the protection profile. For
more information, see “Creating a new web content filter list” on
page 553.
Threshold Enter a web content filter threshold.
Each entry in the web content filter list added to the protection profile
incudes a score. When a web page is matched with an entry in the
content block list the score is recorded. If a web page matches more
than one entry the score for the web page increases. When the total
score for a web page equals or exceeds the threshold the page is
blocked.
The default score for content block list entry is 10 and the default
threshold is 10. This means that by default a web page is blocked by a
single match. You can change the scores and threshold so that web
pages can only be blocked if there are multiple matches.
Web URL Filter Select to block HTTP and HTTPS web pages based on matching the
URL of the web page with a URL in the selected URL filter list. For
more information, see “URL filter” on page 555.
Web URL filter list Select the URL filter list to add to this protection profile. For more
information, see “Creating a new URL filter list” on page 556.
ActiveX Filter Select to block ActiveX controls.
Cookie Filter Select to block cookies.
Java Applet Filter Select to block Java applets.
Web Resume Download
Block
Select to block downloading parts of a file that have already been
downloaded. Enabling this option will prevent the unintentional
download of virus files hidden in fragmented files. Note that some
types of files, such as PDFs, are fragmented to increase download
speed, and that selecting this option can cause download interruptions
with these types.
Block invalid URLs Select to block web sites whose SSL certificate’s CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
• If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
• If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
To Next Page
Loading...
Need help?
General
