| Description | This article describes that the web filter is unable to categorize the URLs based on the FortiGuard category. |
| Scope | FortiGate. |
| Solution |
Web Filter connectivity is up-verified from System -> Fortiguard -> Filtering.
diagnose debug rating Locale : english
Service : Web-filter Status : Disable
Service : Antispam Status : Disable
Service : Virus Outbreak Prevention Status : Disable
Web Filter can have desired categories as blocked and applied to the Firewall policy with SSL/SSH inspection (certificate inspection, deep inspection, or any custom inspection profile) and should be able to block URLs that fall under the block category. For example:
Firewall Policy:
Web Filter:
Able to access website 'delta-search.com' which falls under the category 'Potentially Unwanted Program' but is able to access is and on web filter logs it says category as 'unrated'.
The connectivity to verify FortiGuard web filtering functioning properly is when FortiGate is able to resolve and ping the Fortiguard server like:
exec ping service.fortiguard.net exec ping update.fortiguard.net exec ping guard.fortinet.net exec ping service.fortiguard.net
Output for one of the servers looks like this below:
exec ping service.fortiguard.net PING guard.fortinet.net (208.184.237.61): 56 data bytes 64 bytes from 208.184.237.61: icmp_seq=0 ttl=56 time=61.6 ms 64 bytes from 208.184.237.61: icmp_seq=1 ttl=56 time=61.4 ms 64 bytes from 208.184.237.61: icmp_seq=2 ttl=56 time=61.4 ms 64 bytes from 208.184.237.61: icmp_seq=3 ttl=56 time=61.4 ms 64 bytes from 208.184.237.61: icmp_seq=4 ttl=56 time=61.4 ms
--- guard.fortinet.net ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 61.4/61.4/61.6 ms
If everything is in place, and still FortiGate is unable to categorize the URLs as unrated instead of rating them to their correct category verified in the FortiGuard setting if webfilter-force-off is disabled.
As we can see in the diagnose debug rating the web filter service is disabled and the below output shows that webfilter-force-off is enabled.
config system fortiguard sh full-configuration | grep off set antispam-force-off disable set outbreak-prevention-force-off disable set webfilter-force-off enable
Once disabled, it will show that all the URLs are now categorized based on their category instead of unrated. The command to do so is below:
config system fortiguard set webfilter-force-off disable end
Output: When trying to search ‘delta-search.com’, it will receive the web page is blocked and can be also verified from the web filter log:
|
