Fortinet FortiGate Series Administration Manual page 494

Configuring a protection profile
494
Figure 283: Protection Profile Web Filtering options (SSL content scanning and inspection)
Web Content Filter
Web content filter list Select the web content filter list to add to the protection profile. For
Threshold
Web URL Filter
Web URL filter list
ActiveX Filter
Cookie Filter
Java Applet Filter
Web Resume Download
Block
Block invalid URLs
Select to filter HTTP and HTTPS web pages based on matching the
content of the web page with the words or patterns in the selected web
content filter list. For more information, see
page 552.
more information, see "Creating a new web content filter list" on
page 553.
Enter a web content filter threshold.
Each entry in the web content filter list added to the protection profile
incudes a score. When a web page is matched with an entry in the
content block list the score is recorded. If a web page matches more
than one entry the score for the web page increases. When the total
score for a web page equals or exceeds the threshold the page is
blocked.
The default score for content block list entry is 10 and the default
threshold is 10. This means that by default a web page is blocked by a
single match. You can change the scores and threshold so that web
pages can only be blocked if there are multiple matches.
Select to block HTTP and HTTPS web pages based on matching the
URL of the web page with a URL in the selected URL filter list. For
more information, see "URL filter" on page
Select the URL filter list to add to this protection profile. For more
information, see "Creating a new URL filter list" on page
Select to block ActiveX controls.
Select to block cookies.
Select to block Java applets.
Select to block downloading parts of a file that have already been
downloaded. Enabling this option will prevent the unintentional
download of virus files hidden in fragmented files. Note that some
types of files, such as PDFs, are fragmented to increase download
speed, and that selecting this option can cause download interruptions
with these types.
Select to block web sites whose SSL certificate's CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
• If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
• If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
FortiGate Version 4.0 MR1 Administration Guide
Firewall Protection Profile
"Web content filter" on
555.
556.
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback