Category Override not working after upgrade to 6.0.9

Question

Prior to upgrade from 5.6.11 to 6.0.9, I had a Local Rating Override of site "{redacted}-VPN.com" from FortiGuard Category "Proxy Avoidance" to Local Category "VPN". I then allowed the "VPN" Category is a Web-filter Profile associated with firewall rule. However, after the upgrade, this override is no longer working and access to site is denied.

Note: access is denied for HTTPS request, while HTTP requests are allowed.

Is 6.0.9 doing rating overrides differently, and is so, how to effect it?

Here's configuration in 5.6.11: config webfilter ftgd-local-rating edit "{redacted}.com" set rating 140 next end config webfilter ftgd-local-cat edit "VPN" set id 140 next : end config webfilter profile : edit "Clone of default" set comment "Default web filtering." set inspection-mode flow-based config ftgd-wf set options rate-server-ip set category-override 140 config filters : edit 88 set category 140 next : end end next end After upgrade to 6.0.9, the configuration's identical except that "set category-override 140" doesn't exist. (FortiOS CLI Reference for 6.0.9 is no longer showing "category-override" parameter.)

config firewall ssl-ssh-profile edit "certificate-inspection" set comment "Read-only SSL handshake inspection profile." config https set ports 443 set status certificate-inspection end config ftps set status disable end config imaps set status disable end config pop3s set status disable end config smtps set status disable end config ssh set ports 22 end next end

Also, the traffic to the site is now denied: FWF # execute log filter dump category: webfilter device: disk start-line: 11 view-lines: 10 max-checklines: 0 HA member: Filter: Oftp search string: FWF# execute log display 35 logs found. 10 logs returned. 1: date=2020-05-30 time=01:10:09 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1590765009 policyid=1 sessionid=614 srcip={redacted} srcport=51237 srcintf="wire_less_ssw" srcintfrole="lan" dstip={redacted} dstport=443 dstintf="wan2" dstintfrole="wan" proto=6 service="HTTPS" hostname="{redacted}-VPN.com" profile="Clone of default" action="blocked" reqtype="direct" url="/" sentbyte=517 rcvdbyte=1460 direction="incoming" msg="URL belongs to a denied category in policy" method="domain" cat=59 catdesc="Proxy Avoidance" crscore=40 crlevel="high"

Toshi_Esumi · Answer

I don't remember how 5.6 config looked like for web category filtering. But at least with 6.0, all allowed category wouldn't show up under "config webfilter profile/edit "VPN"" because "Allow" is the default action in the file so you can't even set "set action allow" under "edit xx". Do allow that category in CLI, you need to remove that entry.

If you have doubt, just create a new profile and set all categorioes to "Allow". You should see almost empty profile. Since you allowed "VPN" category, it's expected not showing up there.

By the way, does this happened to be HTTPS site? And are you enabling at least "certificate-inspection"? I think it started being required since 6.0.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded