Fortigate Web Filtering FAQ for Teachers, Administration, and Employees

Owned by Former user (Deleted)
Last updated: Sep 07, 2017 by Jamie Jarvi
6 min read

Q. What is the "Fortigate"?

A. The Fortigate is the Unified Threat Management firewall manufactured by Fortinet. The Fortigate sits in front of all the internet traffic for all of the school districts and organizations we serve and does the network security - from web filtering, virus and malware filtering to more advanced protection features such as IDS, IPS, NAT, packet inspection, and other security features, all in one appliance.  

Fortigate filtering has both a people and software component: an automated system does the initial "spidering" that probes sites all over the Internet. It does the initial classification, which is then human reviewed and classified into specific categories.  

Sites are classified both by their DNS name (ie. www.google.com) and by their IP addresses, so sometimes when websites share a server, it can become quite complicated (more about this in the next FAQ). All the reviews sent in by Fortinet customers are human reviewed.  

Q. How are websites filtered in the Fortigate?

A. When websites are first viewed through the Fortigate, it will categorize the page based on existing filters set in place by your school's administration. Obvious controversial website categories, such as pornography and spam, are blocked. Some categories may or may not be blocked, as each district has local flexibility, such as streaming video for websites such as YouTube and Google Video, and controversial topics (alcohol, weapons, violence, etc). The categories in place are based upon what the administration has deemed acceptable for your district and access privileges to sites may be modified for teachers and students separately. You can find the complete list of Groups and Categories used by the Fortigate here.  

When a website has been found to be in a category blocked by your district or organization, it could be because of it being filtered in one of two ways on the Fortigate: by Web Address(URL) and by IP address.  

The first method Fortigate uses to filter pages is by their web address or DNS name, such as www.google.com. This allows a great amount of flexibility, giving us the ability to allow legitimate/allowed portions of a website through: for example, allowing web searches on Google(allow www.google.com) but blocking access to Image Search(block images.google.com) and Google Video(block video.google.com). Because those three different areas of google have separate URL's, we can block/allow each one individually to tailor filtering to district/organizational needs.  

It also does advanced filtering by IP address, where Fortigate will block addresses known to pump out spam and host attack sites among others. If a specific address was known to have been compromised, or if a student is mirroring restricted content from his home high-speed internet connection (possibly with just an IP address and no DNS name), we can block the traffic without needing a URL or web address. This style of blocking is more of a specific "surgical" method compared to URL blocking, which can blanket multiple IP addresses, however many websites can also be hosted on a single web server, so that if one has objectionable content, all could be blocked until the IP block is corrected (for instance, most of our school district websites are on a single server IP).  

Q. When REMC is "reviewing" a site, who makes the call on whether a site should be blocked or not? What role does REMC play in this part of the process?

A. REMC can be considered a sort of "central broker" for web filtering. Because it's one system that serves 25 separate districts and organizations, all of the filtering requests comes here rather than having filtering requests for each district that redirect to many places. Each district chooses which categories they want blocked, and any particular exceptions (things like: block streaming media, but allow YouTube, or block games, but allow educational games).  

When a request comes in to us, we try to address it quickly if we can in-house (for example: yes, it meets the intent of the district as we understand it, or no, it's a request to access something that the district has clearly blocked, or yes, it's misclassified and shouldn't be blocked under whatever category it currently is listed as). If we aren't certain, then it either goes back to the teacher for clarification, or to the district administration for their approval. If it's a misclassified site, then it goes to Fortiguard for them to correct in the database.  

Q. The protocol for blocking sites does not seem to be very clear. There are many cases where sites are blocked and no one seems to know who made the decision to block it. 

A. We understand it can be confusing because of the numerous ways that Fortigate tries to filter and block. It's a dynamic system, so there have been times when it's been wrong and done things like suddenly decided 'google.com' is in the category 'pornography', which further confuses things when things are open one day, closed the next, etc. It's not necessarily a decision to block a site, but generally, the decision to block a particular category, and now the site in question suddenly falls into that category.  

Due to the dynamic nature of the internet, a lot of problems arise when a change is made on a website that was not part of Fortiguard's initial survey of the site. Usually, it's a change in IP of the website's server, or of the category it's being rated as, whether that's correct or not. Such incorrect classifications are sent to Fortiguard for review and correction, which generally happens in less than 24 hours.  

Q. I went to a web page and the Fortigate said it was blocked due to it being "Unrated." What does this mean?

A.When a website is blocked due to it being unrated, it means that the website did not fit into predefined categories of web pages that are on the Fortigate and was hence blocked as a safety precaution with a feature called 'strict blocking'. There are over 80,000 new pornographic websites created each month, so in order to provide the safest environment, unknown websites are generally blocked until they are classified, rather than let unclassified inappropriate sites be viewed. Clicking the 'submit to Fortigate' link will send them the information and get the sites you want to use reviewed and classified quickly. This will ensure your access quicker than just waiting for Fortigate to find the site and classify it on their own, due to the sheer number of websites on the internet: A February 2009 survey of the internet found 215,675,903 websites active with URL's, while as of December 2009 Fortiguard had classified 54,300,591 of them.  

Q. Why are unrated sites blocked? 

A. Depending on who's stats you look at and when, there are 300-600M active websites in the world, and are growing 20-30M per month.  

We use Fortigate for filtering because we don't have time to classify those 8 new websites every second. Fortigate has a large international database of classified sites (over 47M sites), but not all local sites have been reviewed and classified, so ones that have not fall into the 'unrated' category, just like the 50,000 new porn sites created every month.By filling out the unrated form one time, Fortigate reviews and classifies any site you'd like to visit within a few hours, and then they are properly classified forever after, for all Fortigate users worldwide. Usually, the Fortigate is not incorrectly identifying sites, it's just that because they are small and local vs national/international, they aren't in the system - yet. It's faster and better to get it classified than to use an override, and then you never have to for that site again, and neither do any other teachers or students.  

Q. When I submit a website to REMC for unblocking what happens? 

A. If you are submitting a website that is unrated, we are going to submit the site for classification by using the short form at: http://url.fortinet.net/rate/submit.php (which is also linked on the block page). You can also submit the page for classification as well. Remember districts block by category not by website - so getting the website classified in the right category will allow the website to be viewed.  

If the website is classified in the right category but you still would like access, we are going to be looking to the administrators in the district for approval.  

Q. I have a legitimate website that is currently blocked that I would like unblocked. How do I do this? 

A. Please view our separate wiki entry on requesting unblocks or overriding the Fortigate located here.