URL filter " Allow" and " Monitor" issue

Nihas, thank you for your answer. The expression seems to work correctly as if I keep the same expression (doesn' t matter simple or wildcard) and change only action from " Allow" or " Monitor" to " Exempt" users can access requested page. If I change the action from " Exempt" (keep expression unchanged) to " Allow" or " Monitor" the users can' t access the page.

Are you using Fortiguard Categories along with the website filter list? I ran into a similar issue and eventually determined that even if you are allowing a site with the website filter, it can still be blocked based on the FTG category if you are using that as well. Exempt is the only way you can bypass the FTG category webfilter but it will also exempt the site from AV scanning and other UTM which may not be the intended result. Read your log entry closely to see if you can determine what is actually blocking the traffic. Order of web filtering based on 5.0.x documentation: 1. URL Filter (website filter list) 2. FortiGuard Web Filter Categories 3. Web Content Filter 4. Web Script Filter 5. AV Scanning

I’m using Fortiguard Categories. I’m not sure what you mean by the ”website filter list”. If you’re referring to “URL filter” within “Web Filter”, then yes, I’m using Fortiguard Categories along with the website filter list. My idea was to use category for a whole bunch of websites and just exclude one particular website by using URL filter. Anyway, using “Exempt” is not an option for my from the reason you mentioned (bypass AV). So is it a bug in the Fortigate software or this is how it should work?

So is it a bug in the Fortigate software or this is how it should work?

Apparently it' s how it' s supposed to work. It' s the same way in 5.0. It' s never made much sense to me though. If I set it to allow, allow the damn url through the webfilter portion, but still perform other UTM on it! It' s annoying.

This is some kind of workaround. I did the same on my Fortigate a time ago when I was really angry with Fortinet for what they did with “URL Filter”. In this scenario the only thing I’m not sure is if wildcards can be used. From the other site, even if there is a workaround it doesn' t mean that they should leave “URL Filter” as is now. In my opinion they should fix / change it in the way how most users expect and how FataHalt clearly expressed :)

Can anyone confirm if URL is actually allowd on " ALLOW" action in latest as of now release v5.2.1,build618 OR its still on workaround i.e to use EXEMPT

This behavior is intended and according to design, see documentation. If you use FortiGuard categories, then proper way to allow sites is to use local overrides. The " allow" in urlfilter is to allow the page on urlfilter list, for example you block all in urlfilter list, but allow only some sites.