| Description | This article describes how to handle situations where a Web Filter profile with enabled FortiGuard categories shows different FortiGuard category names than the Web Filter Lookup tool at https://www.fortiguard.com. |
| Scope | FortiOS v7.0+ with Web Filter profile. |
| Solution |
When a Web Filter is configured with FortiGuard categories, FortiGate will send a request to the FortiGuard server for URL ratings. As a response from the FortiGuard server, FortiGate should receive the category name for a requested URL.
For HTTPS traffic, it is important to note that if the Server Certificate CN (Common Name) does not match the Client Hello SNI request (Server Name Indication), the URL rating request will be sent based on the Server Certificate CN.
The following is an example of an URL Filter debug output where the Server Certificate CN (localhost.localdomain) does not match the URL from the Client Hello SNI request (mydomain.example.com).
diagnose ips debug enable urlfilter [5174@837]ips_eng_log_ssl: ssl log host mydomain.example.com, CN localhost.localdomain, type 12
To disable debugs:
diagnose debug disable
get webfilter categories
In the example above, the URL rating request contains the host 'localhost.localdomain', which is rated by the FortiGuard server with the category name Unrated (ID 0).
Note: Web Filter in Flow-based Inspection mode is handled by the IPSengine while Proxy-based Inspection mode is handled by the urlfilter daemon.
When checking the URL Rating Cache below, the same category ID may be observed for both the URL and IP address.
diagnose webfilter fortiguard cache dump
Cache Contents: Rating DB Ver DOT SLASH T URL
To resolve this issue, it may be necessary to review server certificate settings on the server side. |
