“In FortiOS, there are three main components of web filtering:

• Web content filtering...

• URL filtering: uses URLs and URL patterns to block or exempt web pages from specific sources ...

• FortiGuard Web Filtering service...”

“In the web filter profile, Fortiguard category filtering enhances the web filter features. Rather than block or allow websites individually, it looks at the category that a website has been rated with. Then, FortiGate takes action based on that category, not based on the URL.”

“If you consider that a particular URL does not have the correct category, you can ask to re-evaluate the rating in the Fortinet URL Rating Submission website. You can also override a web rating for an exceptional URL in the FortiGate configuration. ”

“Static URL filtering is another web filter feature, which provides more granularity. Configured URLs in the URL filter are checked from top to bottom against the visited websites. If FortiGate finds a match, it applies the configured action.”

“To find the exact match, URL filtering has three pattern types: Simple, Regular Expressions, and Wildcard .”

“So, with these different features, what is the inspection order? If you have enabled many of them, the inspection order flows as follows:

The local static URL filter

FortiGuard category filtering...”

Technical Deep Dive:

The correct answers are A and B .

A is correct because a static URL filter gives per-URL granularity. Since the category Freeware and Software Downloads is currently allowed in the profile, adding a local static URL filter entry for download.com with Block lets FortiGate deny only that site while continuing to allow the rest of the category. This also aligns with the documented inspection order, where the local static URL filter is checked before FortiGuard category filtering .

B is also correct because a web rating override can reclassify a specific exceptional URL. If download.com is re-rated into a blocked category such as Malicious Websites , it will be blocked by the profile while other sites in Freeware and Software Downloads remain allowed.

Why the others are wrong:

C is not the intended web-filter solution. A firewall policy with an FQDN object operates at policy/routing resolution level, not as a category-aware web filtering exception.

D is wrong because changing the whole category to Warning affects all sites in that category, not just download.com.

In production, the cleaner design is usually: keep the category allowed, then add a local URL-filter exception or a web-rating override for the specific site . For HTTPS traffic, remember FortiGate still needs enough SSL inspection visibility to identify the hostname correctly. A representative CLI approach for URL filtering is:

config webfilter urlfilter

edit 1

config entries

edit 1

set url " download.com "

set type wildcard

set action block

next

end

next

end

This is the most deterministic way to block one site without penalizing the rest of the category.