Overriding a web filter profile


In this example, one user is temporarily allowed to override a web filter profile to be able to access sites that would otherwise be blocked.

In this example, web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling web filtering and multiple profiles

Go to System > Config > Features and make sure that Web Filter is turned ON.


Select Show More and enable Multiple Security Profiles.

Apply the changes.


2. Creating a user group and two users

Go to User & Device > User > User Groups. Create a new group for users who can override web filtering (in the example, web-filter-override).  
Go to User & Device > User > User Definition and create two users (in the example, ckent and bwayne).



 Assign ckent to the web-filter-override group, but not bwayne.  

3. Creating a web filter profile and override

Go to Security Profiles > Web Filter and create a new profile (in the example, block-bandwidth-consuming).

Enable FortiGuard Categories, then right-click Bandwidth Consuming and select Block.


Go to Security Profiles > Advanced > Web Profile Overrides and create a new override.

Set Scope Range to User GroupUser Group to the web-filter-override group, Original Profile to the block-bandwidth-consuming profile, and New Profile to the default profile.

Set an appropriate Expires time to control how long the override can be used (in the example, 100 hours after the override is created).


4. Adding the new web filter profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Set Source User(s) to allow both the web-filter-override group and user bwayne.

Under Security Profiles, turn on Web Filter and use the new profile.


5. Results

Browse to blip.tv, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.


Go to User & Device > Monitor > Firewall and De-authenticate bwayne.

Browse to blip.tv again, this time authenticating using the ckent account. You can access the website until the override expires.

For further reading, check out Web Filter in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)