FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 307380

This article describes a given scenario, where the Admin is not able to block any website using Webfilter profile. FortiGate has a reliable connection with FortiGuard servers with full licensing as well. Admin also has Custom-deep-inspection enabled.




Under the default profile, the admin has Streaming Media and Download Category disabled, and a URL filter for has also been created.

Note: In this scenario, no website is getting blocked. YouTube is chosen as an example to give an idea.




The picture below shows that is still accessible even after blocking it in the Webfilter security profile.




The Screenshot below shows the root cause of the problem. Admin has Custom-deep-Inspection enabled on the policy but HTTPS inspection is disabled. Webfilter security profile checks the URL of the website and takes the appropriate action. Whereas in this scenario HTTPS inspection is disabled so Webfilter does not inspect any website.




Scope FortiGate, All firmware.



After enabling the HTTPS inspection port under the Custom-deep-Inspection profile as shown above, the Webfilter would start inspecting the traffic and hence it is possible to see the block page below.




Related Articles :

Troubleshooting Tip: Unable to connect to FortiGuard servers

Troubleshooting Tip: The webfilter is unable to block an established web connection when switching f...