Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎08-11-2025 02:30 AM Edited on ‎08-21-2025 05:25 AM By Moderator

Article Id 405747

Technical Tip: Web rating override and category control in FortiGate web filtering

Description This article discusses FortiGate web filter with local category override and default FortiGuard category verdict check.
Scope FortiGate.
Solution

FortiGate used to fetch the category check verdict for any URL from FortiGuard servers. In case FortiGuard category-based filters are used in a web filter profile, the action is taken based on the above response.

 

The example is taken from Yahoo.com.

 

Below is the web filter configuration:

 

image_Web_filter_blockcategory.png

 

URL Filter debug can be used to identify the verdict and category check:

 

diagnose ips debug enable urlfilter

diagnose debug enable

# [28687@2229]ips_ssl_prepare_urlfilter: sni(verified:1):'dns.google' sni_server_ip:0 cn:'dns.google'
[28687@2229]ips_detect_user_category: no vdom dbs of vdom:0
[28687@2229]urlf_query_fgd: id:35 sess:2229 action:0 error:0 src:2 host:dns.google url:/ rate_ip:0 ssl_exemption_query:0
[28687@2229]handle_fgd_answer: sess:2229, id:0, action:0, resume:0, error:0, ftgd_category:52, url_category:52, local_category:0, byip:0, log:0, time:0s
[28687@-1]ips_ssl_prepare_urlfilter: sni(verified:1):'s.yimg.com' sni_server_ip:0 cn:'*.fantasysports.yahoo.com'
[28687@-1]ips_detect_user_category: no vdom dbs of vdom:0
[28687@-1]urlf_query_fgd: id:36 sess:2230 action:0 error:0 src:2 host:s.yimg.com url:/ rate_ip:0 ssl_exemption_query:0
[28687@-1]handle_fgd_answer: sess:2230, id:0, action:1, resume:0, error:0, ftgd_category:41, url_category:41, local_category:0, byip:0, log:1, time:0s
[28687@-1]on_rating_done: sess 2230, rate 41, action 1
[28687@-1]ips_eng_log_webfilter: sess:307844136 type:10 action:1 host:s.yimg.com source:2 url:/
[28687@2231]ips_ssl_prepare_urlfilter: sni(verified:1):'geo.yahoo.com' sni_server_ip:0 cn:'yahoo.com'
[28687@2231]ips_detect_user_category: no vdom dbs of vdom:0
[28687@2231]urlf_query_fgd: id:37 sess:2231 action:2 error:0 src:2 host:geo.yahoo.com url:/ rate_ip:0 ssl_exemption_query:0
[28687@2231]ips_urlf_add_query: id:37, queue:1, ssl_exemption: 0
[28687@2231]urlf_query_fgd: session:2231 suspended, query id:37
[28687@-1]urlf_on_timeout: pruned 0
[28687@-1]handle_fgd_answer: sess:2231, id:37, action:0, resume:1, error:0, ftgd_category:52, url_category:52, local_category:0, byip:0, log:0, time:0s
[28687@-1]on_rating_done: sess 2231, rate 52, action 0
[28687@-1]ips_urlf_del_query: id:37, queue:0
[28687@2232]ips_ssl_prepare_urlfilter: sni(verified:1):'yahoo.com' sni_server_ip:0 cn:'yahoo.com'
[28687@2232]ips_detect_user_category: no vdom dbs of vdom:0
[28687@2232]urlf_query_fgd: id:38 sess:2232 action:0 error:0 src:2 host:yahoo.com url:/ rate_ip:0 ssl_exemption_query:0
[28687@2232]handle_fgd_answer: sess:2232, id:0, action:1, resume:0, error:0, ftgd_category:41, url_category:41, local_category:0, byip:0, log:1, time:0s
[28687@2232]on_rating_done: sess 2232, rate 41, action 1
[28687@2232]ips_eng_log_webfilter: sess:307844345 type:10 action:1 host:yahoo.com source:2 url:/
[28687@2232]ips_set_pkt_urlf_verdict: action=DROP

 

#get webfilter categories | grep 41
41 Search Engines and Portals

 

In the above debug,the category information for Yahoo.com is sent from FortiGuard servers and accordingly, the action was taken by the IPS engine.

 

Below is the web filter override configuration and URL filter debug to understand the flow:

 

Override_yahoo.png

 

diagnose ips debug enable urlfilter

diagnose debug enable

[28687@-1]ips_ssl_prepare_urlfilter: sni(verified:1):'yahoo.com' sni_server_ip:0 cn:'yahoo.com'
[28687@-1]match_user_category_vdom: Lookup db:0x7f83c82f70c0 cate:140 in vd:0
[28687@-1]match_user_category_vdom: 'yahoo.com' matched ucate:140 in vd:0
[28687@-1]handle_fgd_answer: sess:4092, id:0, action:1, resume:0, error:0, ftgd_category:0, url_category:140, local_category:140, byip:0, log:1, time:0s
[28687@-1]on_rating_done: sess 4092, rate 140, action 1

 

To check what is category 140 use below:

 

get webfilter categories | grep 140
140 custom1     <----- This is a local custom category.

 

In the above debug  ftgd_category information can be seen as 0, and it was blocked by local_category with the web rating override custom category.

 

Override category block works even if there are FortiGuard rating errors.

 

Make sure that the entry was fetched from the web filter cache using the below:

 

diagnose webfilter fortiguard cache dump <----- Search for the mentioned URL in this output.

 

Note:
A static URL filter can also be used to exempt a specific website part of a blocked category on the FortiGuard category-based filters. Refer to the following article: Technical Tip: Using a static URL filter feature to allow/block web sites.

 

Related articles:

Technical Tip: How to configure Web Rating Overrides for specific web sites using the FortiGate

Troubleshooting Tip: Verify the webfilter cache content

Configuring the category override rule - FortiGate 7.6.3 administration guide 
224
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.