Skip to main content
tristanv
tristanv
New Member
December 5, 2025
Question

DPI & WF for "referralurl"

  • December 5, 2025
  • 2 replies
  • 270 views

Hi there,

 

I've configured a DPI (with CA-cert etc) and web-filtering profile (proxy-based) successfully on FortiGate, with web-filtering configured to block access to streaming category. These profiles are applied to a proxy-based security policy. 

 

The policy is working great, however some streaming sites are accessible for users, i.e. Crave.ca. Digging into the logs I can see the URL for the site I want to block but is accessible by the user isn't appearing in the URL field, but is appearing in the referralurl field. The FortiGate matches the URL field entry to an allowed category (i.e. 'Search Engines and Portals').

 

Is there a way to apply web-filtering to referral URLs as well?

 

Also, this behaviour is only see by FortiClient VPN users. Non-VPN users (i.e. inside) behind the FortiGate are blocked as expected for the same sites which appear as referral URL for FortiClient VPN users. Wondering why this is? Security policy is configured the same in both cases.

 

FortiGate version 7.4.9

FortiClient version 7.4.4

2 replies

Anthony_E
Staff
Anthony_E
Staff
December 8, 2025

Hello Tristan,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
    ebilcari
    Staff
    ebilcari
    Staff
    December 9, 2025

    Basically all URLs accessed by the end host, both directly and indirectly should be evaluated by the security policies. In this case, the issue may be that this streaming sites are using legitimate CDN URLs to deliver their content. Are the VPN users using full tunnel mode including the DNS traffic?

    Emirjon
      Terms & ConditionsAccessibility statement