Technical Tip: URL blocked by Web Filter because of different rating of URL and IP address

This is expected behavior when the Web Filter Profile option 'Rate URLs by domain and IP Address' is selected.

config webfilter profile

    edit <webfilter name>

        config ftgd-wf

            set options rate-server-ip

        end

    next

end

When using this option, a rating for the IP address is retrieved from FortiGuard and compared to the domain rating. The category with the higher weight takes precedence. This can cause unexpected ratings under some common scenarios:

• The given website is hosted using the same IP address as other domains (e.g., virtual hosting).
• A website changes hosts, and the IP address changes along with it.
• The website is hosted on a Content Delivery Network, such as Akamai or Cloudflare.

In this example, URL 'pradhaanair.aero' is under the 'Business' category. However, it is blocked by the web filter since the IP it resolves to is tagged as malicious.   

See the FortiOS Administration Guide: Rating Options.

FortiGate TAC recommends disabling rating by server IP address. Instead, it is recommended to rate by domain only. To verify that the server matches the domain the client is trying to access, server SNI check can be enabled in the 'Configuring an SSL/SSH inspection profile'.

To disable the 'Rate URLs by domain and IP address' option:

For a more stringent security posture, consider configuring SSL/TLS deep inspection for traffic sent by managed endpoints. Deep Inspection is not appropriate for 'Bring Your Own Device' networks since it requires installing the FortiGate's SSL inspection Certificate Authority on the device as a Trusted Root CA.