• Matt Sherif

Testing web filtering without getting filtered out of a job

Here’s a scenario we’ve all dealt with/will deal with in the near future:


I need you to deny access to X web categories

- K THNX BYE Mgmt





Checking content filtering policies can be a dangerous sea to navigate


So you go through the trouble of building out a web filtering policy on your FortiGate, and heck you even make sure you’re doing deep SSL inspection. Now comes the tricky part, how do you test this safely without landing in hot water if the configuration is off?


The old school way we used to do this was have a dedicated workstation in the server room, or somewhere private, that way if the filtering failed or I ordered my security policies wrong, I wouldn’t get caught testing specific categories. In some customer demos, I’ve gone as far as trying to find marginally safe sites, without displaying something so completely unprofessional you are asked to end the demonstration immediately.


FortiGate owners do not need to worry any longer as FortiGuard labs, Fortinet’s research arm, has created a set of safe pages you can use to verify your web filtering policies are blocking as they should.


When you browse to the FortiGuard Labs Web Filter Categories site you will see all the categories listed, you can choose to test using standard HTTP Web filtering, Full SSL Inspection, or SSL Certificate inspection - depending on how your SSL Inspection policy is set.

Choose the appropriate test depending on how your SSL/SSH Inspection is configured

Simply click on the appropriate test for the category to test against, and wait for the result. In the example below I clicked on 'Full SSL Inspection' for the category of Sports Hunting and War Games.



We regret to inform you management has deemed this inappropriate for work.

And that's really all there is to it, FortiGuard Labs makes it easy for your IT staff to verify applied policy configurations, and for management/leadership teams to demonstrate compliance without being asked to leave.