Created on
01-30-2008
12:00 AM
Edited on
06-23-2025
12:40 AM
By
Jean-Philippe_P
Description | This article describes that FortiGuard web filter category lookups performed by a FortiGate may show an unexpected category for a website, but checking the same domain name in FortiGuard Web Filter Lookup shows the expected rating. |
Scope | FortiGate, FortiGuard. |
Solution |
This is expected behavior when the Web Filter Profile option 'Rate URLs by domain and IP Address' is selected.
config webfilter profile edit <webfilter name> config ftgd-wf set options rate-server-ip end next end
In this example, URL 'pradhaanair.aero' is under the 'Business' category. However, it is blocked by the web filter since the IP it resolves to is tagged as malicious.
See the FortiOS Administration Guide: Rating Options.
FortiGate TAC recommends disabling rating by server IP address. Instead, it is recommended to rate by domain only. To verify that the server matches the domain the client is trying to access, server SNI check can be enabled in the 'Configuring an SSL/SSH inspection profile'.
For a more stringent security posture, consider configuring SSL/TLS deep inspection for traffic sent by managed endpoints. Deep Inspection is not appropriate for 'Bring Your Own Device' networks since it requires installing the FortiGate's SSL inspection Certificate Authority on the device as a Trusted Root CA. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.