Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎08-13-2009 01:48 PM Edited on ‎04-17-2025 08:20 AM By Community Manager

Article Id 193754

Technical Tip: How to bypass TCP Ports 8010/8008/8020 when using FortiGuard Web Filtering (HTTP/HTTPS) and getting the log message 'Invalid or missing protection profile id'

Description

 

This article explains how to bypass TCP Ports 8010/8020/8015/8008 when using FortiGuard Web Filtering for HTTP/HTTPS if an external website is hosted on the same TCP port and an override message "invalid fortiguard web filtering override request" is displayed on a user's browser.

In FortiOS v3.0 and v4.0, v5.0, v6.0, and v7.0 the warning message 'Invalid or missing protection profile id' may be seen when accessing certain websites.
The error message 'invalid fortiguard web filtering override request' can also be observed.

This will only be seen while having FortiGuard Web Filtering and overrides enabled.


Scope

 

All FortiOS Versions.


Solution

 

This message is seen when a website uses TCP ports 8008/8010/8020/8015. FortiOS uses these ports for web filter overrides.


As this port is also used in internal FortiOS communications it must be changed from this default to remove these conflicts with valid HTTP traffic.
 

Use of these ports is as follows:

 

  • Port 8008 is used by the FortiGate to authenticate with FortiGuard when a http override request occurs (FortiGuard web filter http override authentication).
  • Port 8010 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs (FortiGuard web filter https override authentication).
  • Port 8015 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs in flow mode (FortiGuard web filter https override authentication).
  • Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

From the FortiGate Command Line Interface:
 
  1. Check the default port to use for FortiGuard web filtering HTTPS override authentication. The default value for HTTP and HTTPS are 8008 and 8010:

    FG300B3908606800 (fortiguard) # set ovrd-auth-port-https <integer>
    please input integer value
    FG300B3908606800 (fortiguard) # get
    cache-mode          : ttl
    cache-prefix-match  : enable
    cache-mem-percent   : 2
    ovrd-auth-port-http : 8008
    ovrd-auth-port-https: 8010

  2. Connect to the CLI and configure the following parameters:
 
config webfilter fortiguard
(fortiguard) # get

cache-mode          : ttl
cache-prefix-match  : enable
cache-mem-percent   : 2
ovrd-auth-port-http : 58000   <----- Now 58000, before it was 8008.
ovrd-auth-port-https: 58002   <----- Now 58002, before it was 8010.
ovrd-auth-https     : enable
17659
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.