This article describes how, when FortiGate fails to connect to FortiGuard, the WebFilter blocks the requested web page from a client, although no administrator has set to block on the Web Filter profile.

Confirm that the website did not open because of a FortiGuard connection error. The event type in the security tab under forward traffic logs must be 'ftgd_err':

The FortiGate will generate the following traffic log for the blocked connection:

date=2025-09-23 time=22:57:54 eventtime=1758693473981849497 tz="-0700" logid="0318012800" type="utm" subtype="webfilter" eventtype="ftgd_err" level="error" vd="root" policyid=1 poluuid="1d2d97a6-23fd-51f0-e767-53626c96910b" policytype="policy" sessionid=199679 srcip=x.x.x.x srcport=65217 srccountry="Reserved" srcintf="port4" srcintfrole="undefined" srcuuid="a316a406-23e5-51f0-49ab-89c5b0494de7" dstip=y.y.y.y dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="a316a406-23e5-51f0-49ab-89c5b0494de7" proto=6 service="HTTPS" hostname="fortinet.com" profile="default" action="blocked" reqtype="direct" url="https://www.fortinet.com/" sentbyte=246 rcvdbyte=0 direction="outgoing" msg="A rating error occurs" error="all Fortiguard servers failed to respond"

From the user side, a web page block message is prompted:

The connection was not allowed because the web filter is configured by default to 'block websites when a rating error occurs'. This can be changed with the following configuration:

CLI Command:

config webfilter profile

    edit "<wf_profile>"

        config ftgd-wf

            set options error-allow

        end

    next

end

From the GUI: go to Security Profiles -> Web Filter -> Edit the Web Filter Profile. Scroll down to the Rating Options and enable 'Allow websites when a rating error occurs'.

For v7.4 and later versions, set the option Behavior when FortiGuard is unreachable to 'Allow all websites'.

1. When the FDN is reachable:

• Action: passthrough.
• Message: URL belongs to the allowed category in the policy.

2. Upon failure to connect to the FDN:

• Action: blocked.
• Error: All FortiGuard servers failed to respond.
• Message: A rating error occurs.

3. Upon failing to connect to FDN, and after enabling the Allow websites option:

• Action: passthrough.
• Error: All FortiGuard servers failed to respond.
• Message: A rating error occurs.

Note:

If the FortiGate NGFW Mode is set to 'Policy-based', the 'Allow websites when a rating error occurs' feature will not be available in the GUI, nor will the 'config ftgd-wf' and 'set options error-allow' commands be available in the CLI under 'config webfilter profile'.

This feature is only available if the FortiGate NGFW mode is set to 'Profile-based', as URL categories can only be used in policies in 'Policy-based' NGFW mode. To verify what NGFW mode the FortiGate is in, use the following CLI commands:

FGT_3 (root) # config system settings

FGT_3 (settings) # show full
    config system settings
        set comments ''
        set vdom-type traffic
        set opmode nat
        set ngfw-mode profile-based
        set http-external-dest fortiweb
        set firewall-session-dirty check-all
        set bfd disable

To check via the GUI: under Navigate to System -> Settings and look for the 'NGFW Mode' setting.

Related articles:

Troubleshooting Tip: Web Page Blocked with 'An error occurred while trying to rate the web site usin...

Technical Tip: URL filter to block top-level domain (TLD) names