Skip to main content
gmanea
Staff
gmanea
Staff
December 5, 2016

Troubleshooting Tip: Resolve issue 'web filter block override' and 'invalid FortiGuard filtering override request'

  • December 5, 2016
  • 0 replies
  • 42092 views

Description

This article describes how to resolve the issues with 'web filter block override' and 'invalid FortiGuard filtering override request'.

 

Scope

 

FortiGate.

 

Solution

 

Configure the FortiGate to use local/custom categories and/or to use FortiGuard categories.
The FortiGate uses some ports to communicate with FortiGuard to validate/verify each category.
Sometimes, the Internet browser shows a message like this:

 
kb-nov2016.jpg

 

'Web filter block override' / 'invalid FortiGuard filtering override request' is shown because the website is using a port configured in the FortiGate to connect with FortiGuard only for 'web rating override'.

These ports are as follows:

 

  • Port 8008 is used by the FortiGate to authenticate with FortiGuard when a http override request occurs (FortiGuard web filter http override authentication).
  • Port 8010 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs (FortiGuard web filter https override authentication).
  • Port 8015 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs in flow mode (FortiGuard web filter https override authentication).
  • Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

The ports used can be found with the command:

 

get webfilter fortiguard | grep 'ovrd\|close'

 

These ports are not found in the Local In policy, in the FortiGate GUI, or CLI:

 

diagnose sys tcpsock | grep '8008\|8010\|8015\|8020'

 

Screenshot 2025-04-23 200621.jpg

 

The solution, in these cases, is to disable these ports or to change the ports.
Configure at least one port not used by the FortiGate (example: change 8008 by 9008, or 8010 by 9010, or 8020 by 9020).

Example to disable the ports:

 

config webfilter fortiguard
    set close-ports enable
end

 

Note: When close-ports is enabled:

  • The FortiGuard web filter 'Warning' and 'Authenticate' actions will not work in proxy and flow inspection mode.
  • Allow users to override blocked categories will not work.
  • The replacement message will not display the Fortinet logo.

FortiGuard and Local URL Filter blocking will not be affected.

 

Example to change the ports:

 

config webfilter fortiguard
    set ovrd-auth-port-http 8008
    set ovrd-auth-port-https 8010
    set ovrd-auth-port-https-flow 8015
    set ovrd-auth-port-warning 8020
end

 

Change:

 

config webfilter fortiguard
    set ovrd-auth-port-http 9008
    set ovrd-auth-port-https 9010
    set ovrd-auth-port-https-flow 9015
    set ovrd-auth-port-warning 9020
end

 

Related articles

Troubleshooting Tip: Web Rating Override is not taking effect after upgrading to v7.2.11, v7.4.6 ,v7.4.7, v7.6.1 ,and v7.6.2 .

Technical Tip: How to create local custom override categories in FortiOS.
Technical Tip: How to disable TCP ports 8008, 8010, 8015, and 8020 on VIP.

    Terms & ConditionsAccessibility statement