Contributor

Question

Help with UTM: Not working at all?

Forum|Forum|15 years ago
April 10, 2011
7 replies
7185 views

Ok, now I' m sure this is something I' m doing wrong, as this is essentially the most basic function of the fortigate units! I' m trying to set up basic web filtering with categories. I have a FortiWifi 30B with FortiOS 4 MR2 I have configured, as per the guides: A Web filter Profile ' admin staff' . In here I have configured ' FortiGuard Web Filtering' for http and https. For testing, I have set *every* category to ' block' , so my understanding is this should be blocking everything essentially. I then go to my (only) firewall policy, and tick UTM. Select protocol options (using ' default' , but tried many different options), and ' Enable Web Filter' and selected ' Admin staff' profile. Then try browsing, and can load *any* website! I' ve tried enabling Identity based policy, creating a username with this same web filtering policy, and sure enough, when I browse, I get a login prompt no worries, but once logged in, I can browse anything! What' s going on? What am I missing? Thanks in advance!

A

Anonymous_UserAuthor

Contributor

Just wanted to add second image and mention i' ve tried so many different combinations of the advanced options shown above, and nothing works!

bmann

New Member

Hi, - as I wrote in other post, ratting by IPs is not good idea. I would disable it. You will save some problems. - you have to enable in " system -> maintenance-> fortigurad -> Web Filtering and Email Filtering Options" configuration " enable webfilter cache" and " enable antispam cache" Of course valid webfilter license is needed.

A

Anonymous_UserAuthor

Contributor

I had read that, and have tried with it enabled and disabled, makes no difference, I can still access any site I like! I have a valid connection to the fortinet system, and the page shows valid dates (unit is brand new with bundle, so has 12 months licence) Web filter cache' s are are per default settings, both enabled with default TTL. Any other ideas? I' ve got to be missing somthing horribly obvious..

bmann

New Member

Did you try " Use Default Port (53)" ? I use it at all boxes with no problem. Then enable logging in the policy. Look at logs what policy is matched and clasiffication of each web page.

edsouza_FTNT

Staff

A few possibly reasons this is happening: 1) incorrect policy being hit. 2) Since you are on a FWF-30B, it' s highly possibly you are in conserve mode. High memory.

A

Anonymous_UserAuthor

Contributor

Ok, firstly, I have tried 53 and it makes no difference, that setting was set that way while trying both. It is ' reachable' and with a valid licence under either setting. Logging is enabled in the policy, and under the logs, I see entries in ' traffic' from my IP outbound, as level ' notice' and sub type ' allowed' , but nothing there about rules or policies. Under the subheading under logs called ' Web Filter' there is ' no entries found' . edsouza: There is only one policy defined, and if I disable that policy, or change things such as ' No NAT' , then my access fails. I can' t imagine I can be low memory on a device with 1 policy, 1 UTM profile and normal LAN/WAN/WLAN interfaces defined? Isn' t this largely what this device is made for? The memory statistic on the dashboard is currently reading 69%, been as high as 80%. Rebooting the device does not make it work again. How can I tell if the device is in this conserve mode? The system logs do not have a mention of it. Thanks

bmann

New Member

OK, if you have only one policy there should be no problem with policy matching. what you see with this cmds? diag sys top diagnose hardware sysinfo memory diagnose test application proxyacceptor 4 For that policy disable all UTM functions except web filter, reboot and try it. Then enable av and try it. limit AV to max. 1MB file size scan. there is no reason to bigger file scan. Do not use IPS, it consumes too much memory and maybe reason of conserve mode. I have 80C for testing and it consumes 300MB of memory with av,webfilter,as and IPS. 30B has only 256MB I guess.

A

Anonymous_UserAuthor

Contributor

Ok, diag sys top:

  Run Time:  0 days, 0 hours and 2 minutes  26U, 13S, 59I; 122T, 40F, 44KF            httpsd       61      S       0.9     9.9           cmdbsvr       15      S       0.0    11.0            httpsd       48      S       0.0     9.9            httpsd       58      S       0.0     9.7            httpsd       62      S       0.0     9.7            httpsd       29      S       0.0     9.3            newcli       68      R       0.0     7.5            newcli       67      S       0.0     7.5         ipsengine       38      S <     0.0     7.3           miglogd       27      S       0.0     7.0         scanunitd       54      S <     0.0     6.5          fdsmgmtd       46      S       0.0     6.0    merged_daemons       39      S       0.0     6.0         scanunitd       31      S <     0.0     5.9           updated       45      S       0.0     5.9              iked       44      S       0.0     5.9         urlfilter       41      S       0.0     5.8             authd       42      S       0.0     5.8             dhcpd       47      S       0.0     5.6          dnsproxy       51      S       0.0     5.6

diagnose hardware sysinfo memory:

  FWF30B3G09003210 # diagnose  hardware sysinfo memory           total:    used:    free:  shared: buffers:  cached: shm:  Mem:  128737280 87240704 41496576        0   180224 51929088 46526464  Swap:        0        0        0  MemTotal:       125720 kB  MemFree:         40524 kB  MemShared:           0 kB  Buffers:           176 kB  Cached:          50712 kB  SwapCached:          0 kB  Active:          17220 kB  Inactive:        33688 kB  HighTotal:           0 kB  HighFree:            0 kB  LowTotal:       125720 kB  LowFree:         40524 kB  SwapTotal:           0 kB  SwapFree:            0 kB

diagnose test application proxyacceptor 4:

FWF30B3G09003210 # diagnose  test application proxyacceptor 4  Running time (HH:MM:SS:usec)             0:03:45:687625  Time in loop scanning                       0:00:000000  Worker Read                                          38  Worker Write                                         22  Worker Close                                          0  IPC Conn Read                                         0  IPC Conn Close                                        0  poll=84/83/2 pollfail=0  cmdb=0 sysconserve=0 worker=60 ipcaccept=0 ipcconn=0 acceptor=1  ipv4 listen: http=8 https=15 smtp=0 pop3=0 imap=0 ftp=0 nntp=0  ipv4 maxaccept: http=1 https=1 smtp=0 pop3=0 imap=0 ftp=0 nntp=0  ipv6 listen: http=0 https=0 smtp=0 pop3=0 imap=0 ftp=0 nntp=0  ipv6 maxaccept: http=0 https=0 smtp=0 pop3=0 imap=0 ftp=0 nntp=0  vdstat: accept=0 handler=0 in=0 out=0 done=0 close=0 failed=0

I haven' t had the IPS or Antivirus enabled at all during these tests, web filter is pretty much the only real feature this is to be used for. Policy has only Web Filter enabled, still nothing. It' s like its matching the firewall policy (if I disable protocols such as HTTP, it blocks all traffic), but not using the UTM at all for some reason (but user authentication prompts are working) It' s very weird. This unit has been FW 3.xx factory, upgraded to 4.0 MR3 with major WIFI issues then downgraded to 4.0 MR2v5, perhaps it needs a factory reset on this newer firmware to clean it out?

bmann

New Member

Upgrade to MR3 is supported only from some patch releases from 4MR1 and 4MR2. So I would do factory reset, do upgrade to 4MR2 patch 5 for safe and then configure the box.

A

Anonymous_UserAuthor

Contributor

Ok. updated to MR3, and did a factory reset, WIFI once again stopped working (see separate thread on this issue, ticket open), but UTM was configured and working correctly. Since I need the wifi to work (I wouldn' t have bought a WIFI model if I didn' t) I decided to downgrade back to MR2 patch 5, and factory reset again on this level. I now have it working. UTM & WIFI is working on MR2 patch 5. Memory at around 66%, running firewall & Web Filter only, which is all I really need. Thanks again for your help, it was obviously all related to the upgrade and downgrade of firmware without resetting. Now I just need WIFI to work in MR3 and I' ll be happy, but for now this is usable. Thanks.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded