Refer to exhibit.
An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?
To allow access to twitter.com while blocking other social networking sites, the Static URL Filter configuration for twitter.com should be set to 'Exempt'. This ensures that twitter.com will bypass all further security inspections including the FortiGuard Category Based Filter, which blocks social networking sites. By setting the Action to 'Exempt', the configured exemption specifically for twitter.com will allow access to this site while keeping other social networking sites blocked.
C. On the Static URL Filter configuration, set Action to Exempt. Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com. To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change: On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked.
When FortiGate performs a web filter check, it will first check the static URL filter list (if applied to the profile) and based on the action, will then perform the FortiGuard category check. 'Action' descriptions in Static URL see bellow: - 'Block' -> destination is blocked and session dropped, no further category check is needed. - 'Allow' -> destination is allowed from the static URL list, FortiGate proceeds with checking the category to decide further action. - 'Exempt' -> destination is exempted from further inspection and traffic is allowed.
Even that in the GUI static URL filter is configured as part of Web Filter profile in the background they are separate. FortiGate will apply the following order of inspection 1)Static URL -> 2) FortiGuard Category Filter -> 3)Advance Filter. When static URL filter is configured to allow FGT will move to next and check if url is allowed or blocked by FortiGuard categories. Exempt action on static url filter will tell FGT to exempt this url from other inspections, by passing FortiGuard categories.
FortiGate Security 7.2 Study Guide p.269
C. On the Static URL Filter configuration, set Action to Exempt. FortiGate Security 7.2 Study Guide (p.269): "Allow: Access is permitted. Traffic is passed to remaining operations, including FortiGuard web filter, web content filter, web script filters, and antivirus scanning. Exempt: Allows traffic from trusted sources to bypass all security inspections." Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
A. It will allow all social networking sites, it is not correct B. It does not help C. Exempt does allow traffic and not inspect it D. Monitor will allow traffic and log it as well "allow" config that is not working
I configured this WebFilter on a FGT on Labo and the answer is B. You need to configure to simple to match with: twitter.com. On the other way, URL filter is evaluated before the Category Filter, so when matches it will pass.
Answer is B since URL filter is checked before category filter. you have to just change to simple
C: (if its not exempt it will still be blocked in a latter filter) Http inspection order >> URL >> static url filter (block/allow/exempt) -> Fortigate category filter (allow block) advanced filters (block/allow) >> displays page
Correct answer is C: Exempt: when set to exempt, the FortiGate allow the traffic and exempt URL from all further inspection (including FortiGuard catergories which would then block the traffic)
why is everyone choosing C, when the url is not a wildcard. This is a simple entry in the url filter, so change the type to simple. Moreover, static url entry is first checked before others. Also, exempt only means to completely trust the trafficand not pass it through other security check, but here it is still blocked by a webfilter. Meaning something is wrong with the filter definition.
no Bro it's definitely a wildcard. So i can confirm you the correct answer is C
As you mentioned static URL filter is applied first, before category filter. Static URL filter has three actions - allow, block and exempt: - If block page is block without checking categories - if allow, page is send for inspection by category filter - if exempt, page is bypassing category filter and displayed to the user.
Correct C
C is correct
B is the answer, Simple - Allow. This rule will be hit before the Content Filter
C, but set Action to Exempt.
C. On the Static URL Filter configuration, set Action to Exempt. Most Voted
C is the correct one