Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sramesh1
Staff
Staff

Created on ‎10-22-2025 06:39 AM Edited on ‎10-22-2025 06:40 AM By Moderator

Article Id 415645

Technical Tip: Understanding Category and Sub-Category in FortiGuard Web Rating and Web Filter

Description

This article explains the difference, how they are used, and how to interpret log entries.

When working with Web Filtering on FortiGate, administrators may notice that FortiGuard assigns both a Category and a Sub-Category to URLs.
Scope
  • FortiGate (all models).
  • FortiGuard Web Filtering service.
  • Web Rating tests, Web Filter logs, and FortiView/FortiAnalyzer reports.
Solution

Explanation of Terms.

  1. Category.

Meaning:
The top-level classification assigned by FortiGuard. Categories are enforceable in Web Filter profiles and
policies (allow/deny/monitor/override).

 

Example use case:

  • Administrator blocks the Games category in a Web Filter profile, and all sites under Games are blocked.
    Log Example (CLI Web Rating test):


FGT # diagnose webfilter url www.poker.com
URL: www.poker.com
Rating: 52 (Games)
Category: 52 (Games)
Sub-category: 5202 (Gambling)
Action: block

 

  1. Sub-Category.

Meaning:
A finer classification under the parent Category. Sub-categories provide context for reporting and visibility in
logs, but cannot be directly enforced in Web Filter profiles.

 

Example use case:

  • FortiGuard assigns Games as a Category and Gambling as a Sub-Category.
  • If Games is blocked, Gambling sites are blocked.
  • If Games are allowed, Gambling sites are also allowed (even though they have a Sub-Category).
    Log Example (Web Filter log):


date=2025-09-05 time=11:12:34 devname="FGT60F" devid="FGT60FTK2209EGEM"
type="utm" subtype="webfilter" eventtype="ftgd_blk"
url="www.poker.com" action="blocked"
category="Games" subcategory="Gambling" service="HTTPS"

 

Understanding the difference.

FortiGuard’s classification system works in two layers:

  • Category (Enforceable): Used by FortiGate to make filtering decisions.
    Appears in Web Filter profiles, policies, and logs.
    Example: Games, Information Technology, Social Networking.

  • Sub-Category (Informational): Provides additional context for analysis.
    Shown in logs, reports, and Web Rating results for more detailed visibility.
    Example: Gambling (under Games), Online Games, Web Hosting.

 

In short:

Category = Enforcement layer (used in policies).

Sub-Category = Visibility layer (used for reporting).

 

Troubleshooting Tips- Use CLI to check FortiGuard classification:

 

diagnose webfilter url <website>

 

  • Enable URL filter debug to see category/sub-category resolution in real time:

 

diagnose debug enable
diagnose debug application urlfilter 255

 

  • In Web Filter logs (FortiView/FortiAnalyzer), check both category and subcategory fields.
  • If enforcement is required at the sub-category level (for example, allow Games but block Gambling).
  • Create a Custom Category and assign URLs manually.
  • Or, use Application Control where applicable (for example, Online Games traffic).

 

Conclusion:

  • Category = enforcement layer (used in policies).
  • Sub-Category = visibility layer (used in logs/reports only).
  • Actions in Web Filter profiles always map to Category, not Sub-Category.
  • For granular enforcement, administrators must use Custom Categories or complementary features like Application Control.
75
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.