Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jbindra
Staff
Staff

Created on ‎07-30-2024 10:53 AM Edited on ‎09-08-2025 10:00 PM By Moderator

Article Id 329188

Troubleshooting Tip: Ensuring proper web filtering functionality in FortiOS

Description

This article describes the steps to take if web filtering is not functioning properly.
Scope FortiGate.
Solution

The web filtering feature is a tool to control and monitor internet usage, ensuring that users adhere to organizational policies by preventing access to unwanted or harmful content. However, if web filtering is not functioning as expected, it is likely due to misconfigurations between the firewall policy and the web filtering profile modes. Follow the steps in this article to troubleshoot and resolve this issue.

 

FortiOS supports two primary web filtering modes:

  1. Proxy-Based Mode: In this mode, web traffic is inspected by redirecting it through the Fortinet device. This allows for detailed analysis and filtering based on the URL or content of the web page.
  2. Flow-Based Mode: Also known as flow-based inspection, this mode examines traffic without proxying it. It is typically faster and less resource-intensive but may have limited capabilities compared to proxy-based inspection.

 

If web filtering is not working as intended, it is crucial to verify that both the firewall policy and web filtering profile are configured to operate in the same mode. A mismatch between these modes can lead to ineffective filtering and security gaps.

To verify, first check the Firewall policy in which the Web filtering profile is being used. To do this, navigate to Policy & Objects -> Firewall policy -> Open the intended policy -> Check the inspection mode.

 

To configure in the CLI:

 

config firewall policy

    edit "1"

        set name "LAN_WAN"

        set inspection-mode flow

        set webfilter-profile "default"

end

 

jbindra_0-1722361592518.jpeg

 

After, check the web filtering profile it is being used for under the same Firewall policy: navigate to Security Profiles -> Web Filter -> Edit the profile to use in the firewall policy.

 

jbindra_1-1722361592520.jpeg

 

To configure on the CLI:

 

config webfilter profile

    edit "default"

        set feature-set flow

end

 

Note:

As of v7.2.4, the default inspection mode for Firewall policy and Web filter is set to flow.

 

Once verified, refer to this article: Troubleshooting Tip: FortiGuard Web Filtering problems for more in-depth investigations.

Related document:

Configuring a web filter profile
1594
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.