FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 193927

 

Description This article describes that FortiGuard web filter category lookups performed by a FortiGate may show an unexpected category for a website, but checking the same domain name in FortiGuard Web Filter Lookup shows the expected rating.
Scope FortiGate, FortiGuard.
Solution

This is expected behavior when the Web Filter Profile option 'Rate URLs by domain and IP Address' is selected.

 

config webfilter profile

    edit <webfilter name>

        config ftgd-wf

            set options rate-server-ip

        end

    next

end


When using this option, a rating for the IP address is retrieved from FortiGuard and compared to the domain rating. The category with the higher weight takes precedence. This can cause unexpected ratings under some common scenarios:

  • The given website is hosted using the same IP address as other domains (e.g., virtual hosting).
  • A website changes hosts, and the IP address changes along with it.
  • The website is hosted on a Content Delivery Network, such as Akamai or Cloudflare.

 

In this example, URL 'pradhaanair.aero' is under the 'Business' category. However, it is blocked by the web filter since the IP it resolves to is tagged as malicious.   

 

pradhaanair_webfilter.JPG

 

pradhaanair_ping.JPG

 

pradhaanair.aero.JPG

 

See the FortiOS Administration Guide: Rating Options.

 

FortiGate TAC recommends disabling rating by server IP address. Instead, it is recommended to rate by domain only. To verify that the server matches the domain the client is trying to access, server SNI check can be enabled in the 'Configuring an SSL/SSH inspection profile'.

To disable the 'Rate URLs by domain and IP address' option:

 

kb snip.png

 

For a more stringent security posture, consider configuring SSL/TLS deep inspection for traffic sent by managed endpoints. Deep Inspection is not appropriate for 'Bring Your Own Device' networks since it requires installing the FortiGate's SSL inspection Certificate Authority on the device as a Trusted Root CA.