Technical Tip: FortiGate blocking traffic after integration with FortiManager.
Description
Symptoms.
After adding a FortiGate to a FortiManager using the 'default' template, it may be seen that FortiGate traffic blocks traffic that is allowed by Security Policies with assigned WebFilter profiles.
Error.
From the logs& report webfilter logs the following message will show:
From the logs& report webfilter logs the following message will show:
'FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled'.
Solution
Caveats.
- Do not assign a Provisioning Template to the managed FortiGate.
- Enable 'FortiGuard Security Updates' in the System Template (Provisioning Template) prior assigning it to FortiGate.
When this setting is disabled on the provisioning template the following configuration is pushed to the FortiGate:
# config system fortiguard
set antispam-force-off enable
set avquery-force-off enable
set webfilter-force-off enable
end
As a result, any traffic that requires a FDS query to FortiGuard in order to retrieve its category will be blocked.
Workaround.
# config system fortiguard
set webfilter-force-off disable <-----
set avquery-force-off disable
Verification.
# diagnose debug rating
Locale : english
Service : Web-filter
Status : Disable <-----
Service : Antispam
Status : Disable
Error.
- Once the workaround is applied, the service status changes to enable.
Additional Information:.
When applying the 'default' Provisioning Template, the following settings are applied to the FortiGate:
When applying the 'default' Provisioning Template, the following settings are applied to the FortiGate:
# config system ntp
unset ntpsync
unset syncinterval
end
# config log fortianalyzer setting
unset status
unset server
unset enc-algorithm
unset upload-option
end
# config system dns
unset primary
unset secondary
end
# config system global
unset admintimeout
end
# config system fortiguard
set antispam-force-off enable
set avquery-force-off enable
set webfilter-force-off enable
end