Technical Tip: Category Filtering missing under Web Filter security profile when in NGFW policy-based mode

This article describes a known-behavior where FortiGuard Category-Based Filter option is missing in the Web Filter profile while the FortiGate is in NGFW policy-based mode.

When attempting to configure a Web Filter profile on the FortiGate, administrators may find that the FortiGuard Category-Based Filter section is not available to be configured:

Technical Tip: How to block URL Category and Application in NGFW policy-based mode

Technical Tip: Web filter profiles in NGFW policy mode

To determine if the FortiGate/VDOM is operating in NGFW mode, check the following locations:

• For non-VDOM FortiGates, navigate to System -> Settings in the GUI and check the NGFW Mode option:

• For VDOM-enabled FortiGates, go to the Global VDOM and then navigate to System -> VDOM. Check each VDOM's setting under the NGFW mode column:

• To check via the CLI, check for the ngfw-mode option under config system settings (for VDOM-enabled FortiGates, this would be done within the non-Global VDOMs). Alternatively, use the get command for a similar output:

FortiGate (NGFW) # show full-configuration system settings | grep ngfw-mode

set ngfw-mode policy-based

FortiGate (NGFW) # get system settings | grep ngfw-mode
ngfw-mode : policy-based

Note:

Changing the NGFW mode back from policy-based to profile-based will move FortiGuard Category-Based filtering back into the Web Filter profile, but it will also remove all existing policies (SSL Inspection & Authentication Policy, Security Policy, Central SNAT), so think carefully before changing an existing FortiGate/VDOM from one NGFW mode to another.

If the mode is changed back to NGFW profile-based mode, FortiGuard Category-Based Filtering will become available in the Web Filter profile:

Related Documents:

Technical Tip: NGFW policy-based mode Resource List

Technical Tip: Profile-based policies vs Policy-based policies