Solution | In this web filter profile’s static URL filter, there is a whitespace in the highlighted FQDN.
 
Because this whitespace exists, it is causing access to websites that do not belong in the static URL filter, including legitimate and safe websites, to match this specific entry. And since this specific entry’s action is Block, access to those other websites will be blocked.
For example, yahoo.com and cnn.com do not belong in this static URL filter, but they are still getting blocked.
Checking the Web Filter event logs, to yahoo.com and cnn.com are matching the same URL Filter Index entry.
In this case, the URL Filter Index entry matched is ID 48. To look this up, in the CLI, check the configuration of the relevant web filter profile and take note of the urlfilter-table ID as such:
In this case, the urlfilter-table or, also known as the static URL filter table ID, is 15. Then look up the following as such in the CLI:
Scroll down until the FQDN entry with whitespace is seen. In this case, it is ID 48 as seen in the web filter event logs:
Note: In this case, the whitespace in this specific static URL filter entry behaves like an implicit deny where access to all websites that are not in the static URL filter list match this entry and are denied.
If the action of this entry is changed to Exempt or Allowed, then this entry would behave like an implicit allow, where access to websites outside of the static URL filter list will match this URL Filter Index and will get allowed. FQDNs configured in the Static URL Filter entries will match their respective URL Filter Index with their respective actions.
FortiSASE is affected by this as it uses proxy-based policies by default. |
