Technical Tip: How FortiProxy uses webfilter available servers
| Description | This article provides details about how FortiProxy uses webfilter available servers when webfilter feature is in use |
| Scope | FortiProxy. |
| Solution | As is the case with FortiOS, FortiProxy also provides Web Filter feature. This feature allows to configure web filter profiles (a type of security profile) that can be applied to a policy for allowing or blocking specific URLs or websites.
Once this feature is configured, FortiProxy will rely on FortiGuard webfilter servers to which requests are being sent by FortiProxy for rating. For improving performance and for reducing the number of rating requests there is also a webfilter cache.
Which webfilter servers are selected depends on how FortiGuard settings are configured. By default, FortiGuard's Anycast network is enabled in FortiProxy 7.2/7.4/7.6 and 'fortiguard-anycast-source' is set to 'fortinet':
config system fortiguard set fortiguard-anycast [enable (default)|disable] set fortiguard-anycast-source [Fortinet (default)|aws|...]
This means that selected webfilter servers are Fortinet's servers that use anycast IP addresses (anycast addressing method forwards messages to a single device of a specific group of devices). Indeed the list of anycast webfilter servers contains both Fortinet's servers and Fortinet's AWS servers, while the "aws" value for "fortiguard-anycast-source" contains only Fortinet's AWS servers to provide FortiGuard services.
Example: Fortinet's AWS servers in FortiGuard's anycast network are resolved via globalguard2.fortinet.net and contain these two anycast IP addresses:
Check which webfilter servers are in use by using the 'get webfilter status' CLI command:
get webfilter status Service : Web-filter ... Num. of servers : 2 -=- Server List (Mon Dec 22 17:34:12 2025) -=- IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
There is a 'set load-balance-servers {integer}' setting with a default value of 1. This means that at any given time only one webfilter server will be used for all rating requests. A long-lived session is established between FortiProxy and that selected webfilter server.
If a value greater than 1 is provided for the 'set load-balance-servers {integer}' setting then FortiProxy will try to distribute the requests to that number of rating servers in round-robin fashion instead of using a single server for all rating requests.
Short-lived connections are established to all other webfilter servers in that list every 2 minutes so FortiProxy is able to measure RTT for those webfilter servers to respond to a NOOP message. Thus it also includes server response time and any transport overhead (including TLS connection establishment).
Those regular healthchecks will allow to switch to other webfilter in that list should be the case that the active webfilter server fails.
The 'FortiGuard webfilter unreachable' event will be logged by FortiProxy when 100 requests time out in a row.
If FortiProxy is logging this event, try to retrieve more detailed statistics by running the 'get webfilter ftgd-statistics' CLI command:
get webfilter ftgd-statistics Rating Statistics:
Usually the 'Request timeout' value in the 'get webfilter ftgd-statistics' CLI command's output equals the sum of the 'Total Lost' counter value for all webfilter servers in the 'get webfilter status' CLI command's output.
Given that anycast IP addresses are in use there is no way to confirm what actual server behind that anycast IP address the FortiProxy is connecting to and/or whether it has been the same server the whole time or whether it was a close server at one point but then there was a routing change (in the anycast network) which caused that anycast IP to be directed to a server that could be much further away. |