Overriding a web filter profile


In this recipe, one user is temporarily allowed to override a web filter profile in order to access sites that would otherwise be blocked. Web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling web filtering and multiple profiles

Go to System > Feature Select to enable Web Filter and Multiple Security Profiles.

Apply changes if necessary.

2. Creating a user group and two users

Go to User & Device > User Groups. Create a new group for users who can override web filtering (in this example, web-filter-override).  
Go to User & Device > User Definition to create two users (in this example, ckent and bwayne).



Assign ckent to the web-filter-override group, but not bwayne.

3. Creating a web filter profile and an override

Go to Security Profiles > Web Filter to create a new profile (block-bandwidth-consuming).

Enable FortiGuard category based filter, then right-click Bandwidth Consuming and select Block.

Enable Allow users to override blocked categories.

Set Groups that can override to web-filter-overrideProfile can switch to defaultSwitch applies to User Group, and Switch Duration to Ask.

4. Adding the new web filter profile to a security policy

Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet.

Set Source all, bwayne, and web-filter-override.

Under Security Profiles, enable Web Filter and select the block-bandwidth-consuming profile.

5. Results

Browse to youtube.com, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.

Go to Monitor > Firewall User Monitor and De-authenticate bwayne.

Browse to youtube.com again, this time authenticating the ckent account. You can access the website until the override expires.

For further reading, check out the Web Filter chapter in the FortiOS 5.4 Handbook.

Cindy Chung

Cindy Chung

Technical Writer at Fortinet
Cindy Chung

Latest posts by Cindy Chung (see all)

  • Was this helpful?
  • Yes   No
  • Abdulaziz Alatar

    Hello Judith,
    1- I want ask you, if i need Fortiguard subscription for webfilter override profile with authentication group.
    2- How can use switch applies to ip whith this case ?
    Thanks you

    • Judith Haney

      Hello Abdulaziz, Thank you for the message. You do need an active FortiGuard subscription to use the webfilter profile as demonstrated in this recipe. Regarding your second question, can you provide more detail?

      • Abdulaziz Alatar

        Thank you very much.and i’m sorry for the delay in reply.
        In this recipe you enable webfilter override with user group . how can enable webfilter override with iP ?
        Only put ip in policy ??