Troubleshooting Tip: Verify the webfilter cache content

Description

This article describes how to collect the webfilter cache URLs, URL category rating, and cache TTL for a specific entry. By default, Web filter cache is check before sending the rating request to FortiGuard Server. 

Scope

FortiGate.

Solution

• Use the following command to dump the web filter Cache entries in the FortiGate. 

Caution:

This command is for diagnostic purposes only. The bigger the cache size is set, the more impact on performance the command has.

diagnose webfilter fortiguard cache dump

The output will provide the cache URL and its rating information. If the web filter processing the lookup has 'Rate URLs by domain and IP Address', both the domain and an IP address may be displayed.

Cache Contents:
-=-=-=-=-=-=-=-
Cache Mode:   TTL
Cache DB Ver: 24.61583

Rating            DB Ver  T URL
00000000|00000000 24.61582 P Dhttps://40.74.108.123/
34000000|34000000 24.61582 E Dhttps://settings-win.data.microsoft.com/
00000000|00000000 24.61581 P Dhttps://172.217.161.10/
34000000|34000000 24.61581 P Dhttps://safebrowsing.googleapis.com/

In the above example, the domain of the URL 'settings-win.data.microsoft.com' is in category 0x34, while the IP address 40.74.108.123 is in category 0x0.

• Converting the hexadecimal value 0x34 to decimal gives category 52 <----- Information Technology.
• The hexadecimal value 0x0 is equivalent to decimal 00 <----- Unrated.
  
  

If the web filter profile has 'Rate URLs by domain and IP Address' enabled and the IP address and domain have different category results, the hardcoded weight of the categories is compared to determine the final category verdict. In most cases, it is recommended to disable 'Rate URLs by domain and IP address'. See the KB article Technical Tip: URL blocked by Web Filter because of different rating of URL and IP address

To filter the 'webfilter fortiguard cache dump', follow the syntax below and press 'Y' to display the output:

diagnose webfilter fortiguard cache dump | grep -i microsoft -B 1

00000000|00000000 24.61582 P Dhttps://40.74.108.123/
34000000|34000000 24.61582 E Dhttps://settings-win.data.microsoft.com/

• To know the TTL of the URL entry in the cache, use the following command:

diagnose webfilter fortiguard cache ttl
TTL List Contents:
-=-=-=-=-=-=-=-=-=-
Cache TTL: 300 <----- By default, the Cache TTL will be 3600.

TTL        URL
       234 Dhttps://settings-win.data.microsoft.com/
       234 Dhttps://20.44.239.154/

• To know the category ID in the FortiGate, use the following command:

get webfilter categories

• To clear the web filter cache.

diagnose test application urlfilter 2

Alternatively, rebooting the FortiGate will also clear the web cache.

• To configure webfilter cache TTL:

config system fortiguard

    set webfilter-cache enable

    set webfilter-cache-ttl <300> to <86400> (default = <3600>
end