Web filtering using quotas


This recipe demonstrates how to set up a web filter security profile with a quota that dynamically limits the amount of time users on an internal network can access websites categorized as “General Interest.”  

You can also apply quotas to specific users on your network by creating granular policies that apply different quotas to different user groups using specific firewall addresses or needing authentication.

See User and device authentication for information about creating user accounts.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Enabling web filtering

Go to System > Feature Select and confirm that Web Filter is ON. If necessary, click Apply to make your changes.

Feature select enable web filter 

2. Creating a web filter profile that uses quotas

Go to Security Profiles > Web Filter. Edit the default profile and enable FortiGuard category based filter.
Right-click on the category General Interest – Personal and select Monitor. Do the same for the category General Interest – Business.
These categories include a variety of sites that are commonly blocked in the workplace, such as games, instant messaging, and social media. For a complete description of each web filtering category, visit the FortiGuard Web Filtering page. 
Turn on FortiGuard categories and monitor general interest 
Under Category Usage Quota, select Create New.
Select both General Interest – Personal and General Interest – Business. For testing purposes, set the Quota to 5 Minutes.
Create five minute quota 
The web filter now displays all the General Interest sub-categories and the applied quota.  Sub-category list and quota applied

3. Adding web filtering to a security policy

Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, turn on Web Filter and use the default profile.

Note: If you are applying quotas to specific users or devices, edit Source Address to apply the policy only to them.

Edit the default Web Filter security policy 

4. Results

Browse to www.ebay.com, a website in the General Interest – Personal category.
Access to the website is allowed for 5 minutes, after which time  a “web page blocked” message appears. The message appears each time users affected by the security policy try to access General Interest sites until the quota is reset (every 24 hours at midnight).
FortiGuard web page blocked message

Go to FortiView > Threats and select the 5 minutes view. You can see the blocked traffic.

FortiView Threats results

For further reading, check out Blocking Social Media using FortiGuard Categories, Blocking Facebook with Web Filtering, and FortiGuard Web Filtering Service in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
An active license for FortiGuard Web Filtering Services is required to use web filtering with quotas.