4.2 Web Filtering & Application Control
Key Takeaways
- The FortiGuard web filtering service classifies websites into categories, and each category can be set to Allow, Block, Monitor, or Warning.
- URL filters and rating overrides let an administrator override FortiGuard's classification for specific sites, and URL-filter entries are evaluated before category actions.
- Application Control identifies applications by signature regardless of port or protocol, so it can detect traffic that evades port-based firewall rules.
- Application Control actions include Allow, Monitor, Block, and Quarantine, and traffic shaping can be applied per application or application category.
- Web Filter can match full URLs and keywords only when full SSL inspection is enabled; with certificate inspection it is limited to category and hostname.
The Web Filter Profile
Web Filtering controls which websites users can reach. The Web Filter profile is a security profile attached to a firewall policy, and its primary engine is the FortiGuard web filtering service, a cloud-backed database that classifies billions of URLs.
FortiGuard Categories
FortiGuard organizes the web into roughly 90 categories grouped under broad category groups such as Potentially Liable, Adult/Mature Content, Bandwidth Consuming, Security Risk, General Interest - Personal, and General Interest - Business. When a user requests a site, the FortiGate queries the FortiGuard service (or its local cache), receives the category rating, and applies the action configured for that category.
Category Actions
Each category — or category group — is assigned one of four actions:
- Allow — the request proceeds and is not logged for web filtering.
- Block — the request is denied and the user sees a FortiGuard block replacement page.
- Monitor — the request is allowed but a log entry is generated, giving visibility without enforcement.
- Warning — the user sees an interstitial warning page and must click to proceed; the choice can be remembered for a configurable interval.
A related action, Authenticate, can require the user to enter credentials before continuing. Categories under Security Risk (Malicious Websites, Phishing, Spam URLs) are typically set to Block.
URL Filters
The URL filter is a static list inside the Web Filter profile that overrides category logic for specific entries. Each entry has a type — Simple, Wildcard, or Regular Expression — and an action of Allow, Block, Monitor, or Exempt. URL-filter entries are evaluated before FortiGuard category actions, so a URL filter is the way to permit one site in an otherwise blocked category, or block one site in an allowed category. The Exempt action additionally skips remaining inspection such as AntiVirus for that site.
Rating Overrides
A rating override changes the FortiGuard category assigned to a specific domain. If FortiGuard miscategorizes a partner site, or local policy needs a site treated differently, an administrator creates a rating override that re-rates the domain into a different category. From then on the site inherits the action configured for that new category. Use a rating override when you want a site to follow a category's action; use a URL filter when you want an explicit per-URL action.
Web Filter Actions Reference
| Action | Effect | Logged | User experience |
|---|---|---|---|
| Allow | Request proceeds normally | No (unless override) | No interruption |
| Block | Request denied | Yes | FortiGuard block replacement page |
| Monitor | Request allowed, recorded | Yes | No interruption |
| Warning | User must acknowledge before continuing | Yes | Interstitial warning page |
| Authenticate | User must enter credentials to continue | Yes | Authentication prompt |
Additional Web Filter controls:
- URL filter — static Allow / Block / Monitor / Exempt list evaluated before category actions.
- Rating override — re-rates a domain into a different FortiGuard category.
- Content/keyword filter — blocks pages containing banned words; requires full SSL inspection for HTTPS.
- FortiGuard quota — time or bandwidth limits per category group.
Exam tip: Remember the evaluation order — URL filter first, then FortiGuard category action. A site explicitly allowed in the URL filter is reachable even if its category is blocked.
Application Control
Application Control identifies and controls applications running on the network. While web filtering classifies websites, Application Control classifies applications and protocols — including ones that try to hide.
Signature-Based Application Identification
Application Control uses the FortiGuard application control signature database and the IPS engine to recognize applications by their traffic patterns rather than by port number. This matters because many modern applications (peer-to-peer clients, proxy/anonymizer tools, cloud apps) deliberately use common ports such as TCP 80 and 443 to bypass port-based firewall rules. A signature-based approach detects, for example, BitTorrent or a Tor connection even when it rides on port 443.
Application Categories
The Application Control profile groups thousands of application signatures into categories such as Botnet, Game, P2P, Proxy, Social.Media, Video/Audio, Cloud.IT, and Collaboration. An administrator can set an action for an entire category or for an individual application signature, and can add filters by behavior, popularity, technology, or risk level.
Application Control Actions
- Allow — the application is permitted.
- Monitor — the application is allowed but logged, used to discover what is in use before enforcing.
- Block — the application's sessions are dropped.
- Quarantine — the source endpoint is blocked from the network for a configurable duration after the application is detected.
By default, unknown applications and unscanned traffic follow profile-level options for Allow or Block.
Traffic Shaping per Application
Application Control can attach a traffic shaper to an application or application category instead of blocking it outright. This enforces bandwidth policy — for example, allowing streaming video but limiting it to a guaranteed/maximum bandwidth so it does not starve business applications. Per-application traffic shaping is a frequent exam scenario: the requirement "allow the app but limit its bandwidth" points to a traffic shaper, not the Block action.
Application Control Capabilities Reference
| Capability | Description |
|---|---|
| Signature identification | Identifies applications by traffic pattern, independent of port or protocol |
| Categories | Botnet, Game, P2P, Proxy, Social.Media, Video/Audio, Cloud.IT, Collaboration, and more |
| Action: Allow | Application is permitted |
| Action: Monitor | Application allowed and logged — useful for discovery before enforcement |
| Action: Block | Application sessions are dropped |
| Action: Quarantine | Source endpoint blocked from the network for a set duration |
| Traffic shaping | Apply a bandwidth shaper to a specific app or category instead of blocking |
| Filters / overrides | Filter by category, behavior, popularity, technology, or risk; per-signature overrides |
| Deep inspection benefit | Full SSL inspection improves detection of encrypted applications |
Exam tip: The defining advantage of Application Control over a basic firewall policy is port independence — it detects applications even when they masquerade on port 80 or 443.
In a Web Filter profile, the FortiGuard category 'Streaming Media' is set to Block, but the administrator must allow one approved training-video site. What is the most direct way to do this?
Which statement best describes how FortiGate Application Control identifies applications?
An organization wants to permit a video-conferencing application but ensure it cannot consume more than a set amount of bandwidth. Which Application Control approach fits this requirement?