Description
This article explains an issue where the Web Filter override fails when using Internet Service Database (ISDB) objects on FortiGate.
The issue occurs when a user attempts to access a website that is blocked by the Web Filter with an action set to Warning, Authenticate, or Override.
After the user completes the override action, the website does not load. Instead, the user is redirected to the override port (for example, port 8010) without accessing the intended destination.
Scope
FortiGate, WebFilter, ISDB.
Solution
Web Filter actions, such as warning, authentication, or override, are not fully supported when the destination is defined using an Internet Service Database (ISDB) object.
Example of an unsupported use case:
A Web Filter profile configured with the Warning action will not function as expected if the destination in the policy is an ISDB object.
To resolve this, remove the Internet Service Database (ISDB) object from the destination and use either 'all' or specific destination FQDNs or IP addresses.
If both Web Filter actions and ISDB-based destinations are required, a New Feature Request (NFR) should be submitted by contacting a Fortinet partner or the Fortinet Sales department.
Possible workaround:
Alternatively, if the ISDB destination consists of only one object (for example, GitHub-GitHub, Internet Service ID: 3604638), a workaround can be implemented. However, this approach is not ideal and should be used with caution:
config firewall internet-service-extension
edit 3604638
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 8010
set end-port 8020
next
end
set dst "all"
next
end
next
end
Related articles:
Technical Tip: Internet Service Customization
Technical Tip: How to configure custom port and port ranges into the ISDB entries.
Technical Tip: Custom Internet Service Database (ISDB) entry creation on a FortiGate
