Blocking Facebook with Web Filtering

Visual Representation of Blocking Facebook Recipe

This recipe explains how to use a static URL filter to block access to Facebook and its subdomains.

By using SSL inspection, you ensure that Facebook and its subdomains are also blocked when accessed through HTTPS.


Watch the video


Find this recipe for other FortiOS versions:
5.2 | 5.4 | 5.6

1. Enabling Web Filtering

Go to System > Feature Select to enable the Web Filter feature.

Enable Web filter feature

2. Editing the default Web Filter profile

Go to Security Profiles > Web Filter and edit the default Web Filter profile.

To block Facebook, go to Static URL filter, select URL Filter, and then click Create.

Static URL Filter Enabled

Set URL to * Set Type to Wildcard, set Action to Block, and set Status to Enable.

Facebook Wildcard Filter

3. Creating the Web filtering security policy

Go to Policy & Objects > IPv4 Policy, and click Create New. Give the policy a name that identifies its use.

Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface.

Enable NAT.

Set Interface IPv4 Policy
Under Security Profiles, enable Web Filter and select the default web filter profile. Enable Web Filter
Enable SSL/SSH Inspection and select certificate-inspection from the dropdown menu. This allows the FortiGate to inspect and apply web filtering to HTTPS traffic. Enable SSL/SSH Inspection

The new policy has to be first on the list in order to be applied to Internet traffic. Confirm this by viewing policies By Sequence.

To move a policy up or down, click and drag the far-left column of the policy.

Move IPv4 policy to top of list

4. Results


HTTPS is automatically applied to, even if it is not entered in the address bar. A FortiGuard Web Page Blocked! message appears.

Results for blocking

Visit a subdomain of Facebook, for example,

A FortiGuard Web Page Blocked! message appears, blocking the subdomain.

Results for blocking subdomain of Facebook

For further reading, check out Static URL Filter in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
  • PFX

    How can we allow only Facebook if we block social network category ? Using “Allow” in static URL doesn’t work, using “Exempt” works, but that means there will not be any other security check, like AV…
    Thanks for your help

    • Victoria Martin


      The best way to do that would be to change the local category for Facebook on your FortiGate.

      To do this, go to Security Profiles > Web Rating Overrides and create a new override for Facebook. You can then change Facebook to a different category – the best option is probably to move it into a custom category, which you then need to make sure is allowed by your web filter profile.

      • Brury

        any waiting time after setting/update webfilter to know it work or not ?

        • Victoria Martin

          When I’ve tested it, there hasn’t been a noticeable waiting time, but sessions that have already started may not have the new category applied.

  • Victoria Martin

    Hello Meer,

    You would need to test this but changing the URL in the web filter should allow you to target specific pages on Facebook without requiring the whole site to be blocked.


    Well I follow this steps not too far from the ones that appears in the video. I purchased a Fortigate 100e and the configuration screen is slightly different because I can not see the proxy settings and the certificate-ssl as well is not the same. S

    • Victoria Martin

      Hi Julio,

      There may be some differences in the GUI based on different FortiGate models. Also, I believe your FortiGate may be using Flow-based inspection, rather than proxy, which is why the proxy settings are not appearing. Even with these differences, however, the main steps in this recipe should be the same for the 100E.


        I follow all the steps. The why is not working is something in the configuration. I


        I am a Cisco guy and I worked Juniper Firewalls before, I will be calling for support. The firewall do not have two weeks since arrived. It has 3 year support. I will let fortinet support work with this.

  • Anthony Campos

    how do I block Facebook on selected devices only, hence allowing other devies to access FB?

  • Martín Fernández Tomasi

    Is possible to configure more than one policy with the same origin and destination? If yes, the policies are considered up to down until one matches?
    I’m trying with this configuration, but no one page in the blacklist is being blocked.

    • Victoria Martin

      Yes, it is possible, though in order for policies lower in the list to be matched, something would need to be different about the policies, such as user/device or protocols.

  • Rajan Shresth

    I am trying to enable facebook workplace without providing access to
    facebook, tired static url filtering along with SSL inspection but I am
    not able to access the facebook workplace is there another way to for
    accessing the facebook workplace site help ?

  • Vedran Opančar

    For facebook I have This site uses HTTP Strict Transport Security (HSTS) error. Help!
    Cant come to site is blocked screen.

    • Victoria Martin

      Hello Vedran,

      Are you using user authentication? HSTS can prevent the login screen from appearing, so if you are, you’ll need to navigate to a different website first in order to log in.

  • joko Purnomo


    is it posible to block Per Group Users ? im using FG 100 d


    • Victoria Martin

      Hi joko,

      Yes, this is possible. You will need to create more than one firewall policy in order to apply different web filters to different groups: for example, group A has a policy that uses web filtering to block Facebook, while the firewall policy for group B allows Facebook access.

  • Kamlesh Galande


    Is it possible to block only Video ,Chat and any post in FB .

    I am using FortiGate 200D where ,we need to allow to access FB but deny Video ,Chat and any post in FB .

  • Judith Haney

    Hello Lasse,
    We suspect that your issue has to do with how Chrome handles certificates. I would suggest making sure that traffic is going through the correct policy. If it isgoing through the correct policy, see if this recipe works with another browser. If it works with another browser, you will have to get a certificate for Chrome. For that, you may want to contact Fortinet Support. You can find nformation about working with support at

  • Victoria Martin

    Hi Anthony,

    Certificate inspection is not meant to be generating an SSL error, since when it is used, the FortiGate only inspects the header information of the packets. I would suggest making sure that traffic is going through the correct policy. If it is, then you may want to contact Fortinet Support. For information about working with support, that you can find at