Useful facts about the FortiClient web filter in Chromebooks

• On ChromeOS, there is no FortiClient application responsible for web filtering or log collection. Instead, the 'FortiClient Chromebook Web Filter Extension' Chrome extension is performing the web filtering.
• If the Chromebook device is not managed by Google Admin, installing the FortiClient web filter extension is pointless.

Web Filter issues:

The Web Filter functionality occasionally malfunctions and can cause the symptoms listed below:

• Allowed websites being blocked with Category Unknown or Unrated:Unknown.
• Websites that are not permitted can be viewed, or blocked with delay.
• YouTube videos do not play or appear.

Follow these steps to collect the necessary logs for support:

1. In the Google Admin console, navigate to Devices -> Chrome -> Settings -> select the appropriate OU where the user is located -> Users & browsers ->  find and select Developer tools -> select Always allow use of built-in developer tools.

2. In the Chrome browser of the affected Chromebook, access chrome://extensions -> make sure the Developer mode toggle is enabled -> under FortiClient Chromebook Webfilter Extension, select service worker (return to step 1 and check again if not able to see it). Alternatively, select Details, and from there, select Service Worker.

3. This is the most important log: in Chrome Developer Tools, select the Network tab -> reproduce the issue by refreshing the page in Chrome browser -> select Export HAR in the top right.

4. Select the Console tab -> reproduce the issue by refreshing the page in Chrome browser -> Right-click inside the Console and select Save as...

5. Open the Crosh app in Chromebook -> type tracepath wsfgd1.fortiguard.net -> open another Crosh -> type ping wsfgd1.fortiguard.net -> take a screenshot from both outputs.

6. Type 'what is my ip' in the Chrome browser and update the support ticket with the information.

7. Open FortiGate -> Network > Diagnostics -> New packet capture -> Select the interface that is connected to the internet -> Enable Filters and set Host to the IP address wsfgd1.fortiguard.net -> Set Port to 3400 -> Start capture -> Reproduce the issue by refreshing the page in Chrome browser -> Stop capture.

8. Follow the instructions in Troubleshooting Tip: Troubleshoot FortiClient Web Filter related issues in Chromebook and confirm the certificate is trusted for https://wsfgd1.fortiguard.net:3400.

To summarize what logs are needed:

1. The network-log.har log.
2. The console log.
3. The trace and ping result to wsfgd1.fortiguard.net.
4. The public IP address of affected Chromebooks.
5. Sniffer capture of traffic routed to wsfgd1.fortiguard.net over port 3400.
6. Confirmation of the certificate's validity for this URL: https://wsfgd1.fortiguard.net:3400.