FortiGate finds the hostname of the website during the SSL/TLS handshake phase and queries FortiGuard to identify the website category to take appropriate action as configured under the webfilter profile configuration.

The 'Allow websites when a rating error occurs' option in the web filter profile determines how FortiGate handles web requests when it cannot retrieve a site’s category rating from FortiGuard servers.
This setting directly impacts the balance between security and availability during network, licensing, or FortiGuard service interruptions.

When this option is enabled, and the FortiGate fails to retrieve a web category rating from FortiGuard (due to network, licensing, or service interruption issues), the traffic will be permitted instead of being blocked. The setting is disabled by default in the default webfilter profile and while creating a new webfilter profile.

When disabled, if the FortiGate cannot retrieve a rating from FortiGuard, the website request is blocked by default.

Implications of having the option enabled:

1. The FortiGate effectively goes into a 'fail-open' state, temporarily bypassing web filtering controls. Traffic that would normally be blocked (e.g., adult, gambling, or malicious sites) may be allowed. However, all other UTM and security inspection features, such as IPS, Antivirus, Anti-Botnet, and Application Control, continue to operate normally. The rating error event is still recorded in the FortiGate web filter logs; refer to FortiGuard web filter error logs.
2. Newly registered or unknown domains could be accessed, potentially leading to threats such as phishing or malware.
3. May violate organizational or regulatory compliance if unrated or high-risk categories are not filtered.
4. These options help maintain the user connectivity. The legitimate websites will remain accessible during a FortiGuard outage or temporary disruption.

5. This option helps maintain connectivity in scenarios where FortiGuard-based services are enabled without a valid license.

Implication of having the option disabled:

1. It provides stronger protection by preventing access to potentially malicious or unknown sites. 
2. The rating lookup failures cannot be exploited to bypass the policy.
3. Provides continuous compliance for environments with stringent security policies.
4. There may be a service disruption, and legitimate websites may be blocked during temporary FortiGuard connectivity issues.

To view the configuration options of a Web Filter profile, refer to  Configuring Web Filtering on FortiGate: Web filter.