Firewall Protection Profile Configuring a protection profile
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424 413
http://docs.fortinet.com/ • Feedback
Blocked pages are replaced with a message indicating that the page is not accessible
according to the Internet usage policy. To configure replacement messages, go to
System > Config > Replacement Messages.
For more information on web filter configuration options, see “Web Filter” on page 475.
For details on how web URL filter lists are used with HTTP and HTTPS URLs, see “URL
formats” on page 486.
FortiGuard Web Filtering options
You can enable and apply FortiGuard Web Filtering options using a protection profile.
If you have blocked a pattern using the FortiGuard Web Filtering, but want certain users to
have access to URLs within the pattern, you can use the FortiGate web filtering override
feature. For more information about FortiGuard web filtering, see “FortiGuard - Web Filter”
on page 487.
You can configure FortiGuard Web Filtering for HTTP and HTTPS traffic. If your FortiGate
unit supports SSL content scanning and inspection and if you have set HTTPS Content
Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan you
can select all but one of the same web filtering options for HTTPS and HTTP. If your
FortiGate unit does not support SSL content scanning and inspection or if you have set
HTTPS Content Filtering Mode to URL Filtering you can have fewer options for HTTPS.
See the field descriptions below for details.
ActiveX Filter Select to block ActiveX controls.
Cookie Filter Select to block cookies.
Java Applet Filter Select to block Java applets.
Web Resume Download
Block
Select to block downloading parts of a file that have already been
downloaded. Enabling this option will prevent the unintentional
download of virus files hidden in fragmented files. Note that some
types of files, such as PDFs, are fragmented to increase download
speed, and that selecting this option can cause download interruptions
with these types.
Block invalid URLs Select to block web sites whose SSL certificate’s CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
• If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
• If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
HTTP POST Action Select the action to take with HTTP POST traffic.
Normal Do not affect HTTP POST traffic.
Block Block HTTP POST requests. When the post request is blocked the
FortiGate unit sends a web page to the user’s web browser instead of
the requested POST page. You can configure the content of this web
page by going to from System > Config > Replacement Messages by
customizing the HTTP > POST message.
Comfort Use the comfort amount and interval settings to send “comfort” bytes
to the server in case the client connection is too slow. Select this
option to prevent a server timeout when scanning or other filtering tool
is turned on.
To Next Page
Loading...