New Member

Solved

Question about Web Filter configuration with Override and URL Filter in FortiGate

Forum|Forum|1 year ago
April 22, 2025
2 replies
2514 views

Hi everyone, I have a question regarding how FortiGate handles override of blocked categories in Web Filtering. Let me explain my setup:

I have Web Filtering enabled with a custom profile where the "Streaming Media and Download" category is set to block. The goal is to allow certain users to override the block and access specific sites within that category after authentication.

To do this, I enabled "Override blocked categories" and assigned the built-in monitor-all profile. Inside this monitor-all profile, I kept "Streaming Media and Download" set to block, but I also configured a URL Filter exception, where I added a wildcard like *youtube.com and set the action to "exempt".

The expected behavior is:

When a user tries to access YouTube, the override page should appear.
The user logs in with credentials.
Due to the URL Filter exemption, access to YouTube is allowed.
All other sites under the "Streaming Media and Download" category remain blocked.

However, this doesn’t seem to work as intended. The override page shows up, but after authentication, it loops back to the same block page instead of allowing access to YouTube.

Can anyone confirm if this setup is technically correct, or if there's a limitation or step I'm missing to make it work properly?

Thanks in advance!

Block Blockmonitor-all

FortiGate

Best answer by funkylicious

ok, i see what you are trying to achieve now.

try switching the inspection mode to proxy-based instead of flow-based, both for web filter and firewall and see if it works with the webfilter asking to Authenticate that you posted in a comment above.

funkylicious

SuperUser

hi,

are the profiles/fw rule in proxy mode ?

L.E. have a look at this, https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-web-rating-override-to/ta-p/276489 , i think its similarto what you are trying to achieve.

"jack of all trades, master of none"

morbo-198Author

New Member

What do you mean by proxy mode? Are you referring to the "Inspection Mode" option?
If so, both the profiles and the firewall policy are set to "Flow-based".
I'll review the link you shared and let you know the result.

funkylicious

SuperUser

well, not exactly.

you are doing something similar but not like described in the KB.

to fully implement the example in your case, you would need to create do a web rating override and in it to assign youtube.com to Custom categories and sub-categ custom1 and in your monitor-all policy, the custom1 to be changed to Authenticate instead of Monitor/Allow/Block/Warning etc.

"jack of all trades, master of none"

morbo-198Author

New Member

I also tested this configuration:

In this screenshot, I show how my current Web Filter profile is configured. The category "Streaming Media and Download" is not shown here, but it's set to Block. If you look under the Local Categories, I have one set to Allow and another to Authenticate.

In this second screenshot, I show how I’ve configured the Web Rating Overrides.
web raiting overrides.png

And in this last screenshot, you can see the Firewall Policy that I'm using.

With this setup, when a user tries to access YouTube, they are able to do so successfully.
However, the issue happens when trying to access hulu.com—the user gets this page:

After entering the correct credentials, it should allow access to Hulu,

but instead it shows this again, and the user gets stuck in a loop:

So as you can see, it only works correctly when the Local Category (for example, "Streaming Permitidas") has the action set to monitor or allow.
But if I set the action to Authenticate or Warning, it results in that same error loop.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded