We've recently seen a spike in "Web Page Blocked: an error occurred while trying to rate the website using the web filtering service" messages both internally and complaints about this from customers. These show up in the Web Filter log as "Action: Blocked, Message: A rating error occurs".
I opened a support ticket and here's what we narrowed this down to:
[ul]
FortiGates running FortiOS 6.0.8 and 6.0.9 (and probably 6.2.x too but not tested)System / FortiGuard / Protocol = HTTPS (as per 6.0.8/6.0.9 release notes guidance)Switching Update Server location from "US only" to "Lowest latency" or Port from 8888 to 53 or vice-versa sometimes temporarily resolved the problem but the "ratings error" returned.[/ul]
If you run "diag debug rating" with the above settings you'll see that there are fewer FortiGuard servers available that respond over HTTPS compared to HTTP or UDP. This seems to be a recent capacity issue but support hasn't confirmed this. We had FortGuard over HTTPS enabled soon after FortiOS 6.0.8 came out and it ran for months without issues - until recently.
If you set System / FortiGuard / Protocol to UDP you should find that the ratings errors go away and normal, reliable web filtering resumes. Our other option to avoid the block pages is to modify our Web Filtering profile to "Allow websites when a rating error occurs" (i.e. fail open), but I'd recommend against this as it potentially allows pass-through to malicious sites when rating fails.
If this is exactly what you're seeing I'd recommend you open a case with support. Hopefully this gets resolved soon so we can switch back to the more secure FortiGuard over HTTPS.
Russ
NSE7
