You can select one of four actions for how traffic will be treated as it attempts to reach a site in the list.
Block
Attempts to access any URLs matching the URL pattern are denied. The user will be presented with a replacement message.
Allow
Any attempt to access a URL that matches a URL pattern with an allow action is permitted. The traffic is passed to the remaining antivirus proxy operations, including FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning.
Allow is the default action. If a URL does not appear in the URL list, it is permitted.
Monitor
Traffic to, and reply traffic from, sites matching a URL pattern with a monitor be allowed through in the same way as the “Allow” action. The difference with the Monitor action being that a log message will be generated each time a matching traffic session is established. The requests will also be subject to all other Security Profiles inspections that would normally be applied to the traffic.
Exempt
YouTube Education Filter Static URL Filter
HTTP 1.1 connections are persistent unless declared otherwise. This means the connections will remain in place until closed or the connection times out. When a client loads a web page, the client opens a connection to the web server. If the client follows a link to another page on the same site before the connection times out, the same connection is used to request and receive the page data.
When you add a URL pattern to a URL filter list and apply theExemptaction, traffic sent to and replies traffic from sites matching the URL pattern will bypass all antivirus proxy operations. The connection itself inherits the exemption. This means that all subsequent reuse of the existing connection will also bypass all antivirus proxy operations. When the connection times out, the exemption is cancelled.
For example, consider a URL filter list that includesexample.com/filesconfigured with the Exempt action. A user opens a web browser and downloads a file from the URLexample.com/sample.zip. This URL does not match the URL pattern so it is scanned for viruses. The user then downloads
example.com/files/beautiful.exeand since this URL does match the pattern, the connection itself inherits the exempt action. The user then downloadsexample.com/virus.zip. Although this URL does not match the exempt URL pattern, a previously visited URL did, and since the connection inherited the exempt action and was re-used to download a file, the file is not scanned.
If the user next goes to an entirely different server, likeexample.org/photos, the connection to the current server cannot be reused. A new connection to example.org is established. This connection is not exempt. Unless the user goes back to example.com before the connection to that server times out, the server will close the connection. If the user returns after the connection is closed, a new connection to example.com is created and it is not exempt until the user visits a URL that matches the URL pattern.
Web servers typically have short time-out periods. A browser will download multiple components of a web page as quickly as possible by opening multiple connections. A web page that includes three photos will load more quickly if the browser opens four connections to the server and downloads the page and the three photos at the same time. A short time-out period on the connections will close the connections faster, allowing the server to avoid unnecessarily allocating resources for a long period. The HTTP session time-out is set by the server and will vary with the server software, version, and configuration.
Using theExemptaction can have unintended consequences in certain circumstances. You have a web site at example.com and since you control the site, you trust the contents and configureexample.comas exempt. But example.com is hosted on a shared server with a dozen other different sites, each with a unique domain name. Because of the shared hosting, they also share the same IP address. If you visit example.com, your connection your site becomes exempt from any antivirus proxy operations. Visits to any of the 12 other sites on the same server will reuse the same connection and the data you receive is exempt from scanned.
Use of theExemptaction is not suitable for configuration in which connections through the FortiGate unit use an external proxy. For example, you use proxy.example.net for all outgoing web access. Also, as in the first
example, URL filter list that includes a URL pattern ofexample.com/filesconfigured with theExempt
action. Users are protected by the antivirus protection of the FortiGate unit until a user visits a URL that matches the ofexample.com/filesURL pattern. The pattern is configured with theExemptaction so the connection to the server inherits the exemption. With a proxy however, the connection is from the user to the proxy.
Therefore, the user is entirely unprotected until the connection times out, no matter what site he visits.
Ensure you are aware of the network topology involving any URLs to which you apply the Exempt action.
Status
The Web Site Filter has the option to either enable or disable individual web sites in the list. This allows for the temporary removal of the actions against a site so that it can be later reengaged without having to rewrite the configuration.
Static URL Filter YouTube Education Filter