The web filtering feature is a tool to control and monitor internet usage, ensuring that users adhere to organizational policies by preventing access to unwanted or harmful content. However, if web filtering is not functioning as expected, it is likely due misconfigurations between the firewall policy and the web filtering profile modes. Follow the steps in this article to troubleshoot and resolve this issue.

FortiOS supports two primary web filtering modes:

1. Proxy-Based Mode: In this mode, web traffic is inspected by redirecting it through the Fortinet device. This allows for detailed analysis and filtering based on the URL or content of the web page.
2. Flow-Based Mode: Also known as flow-based inspection, this mode examines traffic without proxying it. It is typically faster and less resource-intensive but may have limited capabilities compared to proxy-based inspection.

If web filtering is not working as intended, it is crucial to verify that both the firewall policy and web filtering profile are configured to operate in the same mode. A mismatch between these modes can lead to ineffective filtering and security gaps.

To verify, first check the Firewall policy in which the Web filtering profile is being used. To do this, navigate to Policy & Objects -> Firewall policy -> open the intended policy -> check the inspection mode.

To configure in the CLI:

config firewall policy

edit "1"

set name "LAN_WAN"

set inspection-mode flow

set webfilter-profile "default"

end

After, check the web filtering profile it is being used for under the same Firewall policy: navigate to Security Profiles -> Web Filter -> Edit the profile to use in the firewall policy.

To configure on the CLI:

config webfilter profile

edit "default"

      set feature-set flow

end

Note:

As of v7.2.4, the default inspection mode for Firewall policy and Web filter is set to flow.

Related document:

Configuring a web filter profile