Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ted
Staff
Staff

Created on ‎06-22-2022 07:19 AM Edited on ‎01-12-2025 01:15 AM By Community Manager

Article Id 215438

Technical Tip: Web Page Blocked using WebFilter when failed to connect to FortiGuard

Description

This article describes how when FortiGate fails to connect to FortiGuard, the WebFilter blocks the requested web page from a client although no administrator had set to block on Web Filter profile.
Scope FortiGate.
Solution

To avoid the rating error, enable the Rating Option 'Allow websites when a rating error occurs', as well as make sure FortiGuard servers respond well.

 

To check the connectivity with the Forti Guard server, refer to: Verifying connectivity to FortiGuard 

 

CLI Command:

 

config webfilter profile

edit "<wf_profile>"

config ftgd-wf

set options error-allow

end

next

end


From the GUI: go to Security Profiles -> Web Filter -> Edit the Web Filter Profile. Scroll down to the Rating Options and enable 'Allow websites when a rating error occurs'.

Allowwebsites.png

 

Web Filter Log:

 

  1. When the FDN is reachable:
  • Action: passthrough.
  • Message: URL belongs to the allowed category in the policy.

 

  1. Upon failure to connect to the FDN:
  • Action: blocked.
  • Error: All FortiGuard servers failed to respond.
  • Message: A rating error occurs.

 

  1. Upon failing to connect to FDN, and after enabling the Allow websites option:
  • Action: passthrough.
  • Error: All Fortiguard servers failed to respond.
  • Message: A rating error occurs.

 

Note:

If the FortiGate NGFW Mode is set to 'Policy-based', the 'Allow websites when a rating error occurs'. Feature will not be available in the GUI, nor will the config ftgd-wf -> set options error-allow' commands be available in the CLI under 'config webfilter profile'.

This feature is only available if the FortiGate NGFW mode is set to 'Profile-based' as URL categories can only be used in policies in 'Policy-based' NGFW mode. To verify what NGFW mode the FortiGate is in, use the below CLI commands...

 

FGT_3 (root) # config system settings

FGT_3 (settings) # show full
    config system settings
        set comments ''
        set vdom-type traffic
        set opmode nat
        set ngfw-mode profile-based
        set http-external-dest fortiweb
        set firewall-session-dirty check-all
        set bfd disable

 

Or via the GUI. under Navigate to System -> Settings and look for the 'NGFW Mode' setting.

 

NGFW_Policy-based.JPG
2885
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.