Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎12-05-2016 08:18 AM Edited on ‎04-23-2025 11:48 PM By Community Manager

Article Id 193291

Troubleshooting Tip: Resolve issue 'web filter block override' and 'invalid FortiGuard filtering override request'

Description

This article describes how to resolve the issues with 'web filter block override' and 'invalid FortiGuard filtering override request'.

 

Scope

 

FortiGate.

 

Solution

 

Configure the FortiGate to use local/custom categories and/or to use FortiGuard categories.
The FortiGate uses some ports to communicate with FortiGuard to validate/verify each category.
Sometimes, the Internet browser shows a message like this:

 
kb-nov2016.jpg

 

'Web filter block override' / 'invalid FortiGuard filtering override request' is shown because the website is using a port configured in the FortiGate to connect with FortiGuard only for 'web rating override'.

These ports are as follows:

 

  • Port 8008 is used by the FortiGate to authenticate with FortiGuard when a http override request occurs (FortiGuard web filter http override authentication).
  • Port 8010 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs (FortiGuard web filter https override authentication).
  • Port 8015 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs in flow mode (FortiGuard web filter https override authentication).
  • Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

The ports used can be found with the command:

 

get webfilter fortiguard | grep 'ovrd\|close'

 

These ports are not found in the Local In policy, in the FortiGate GUI, or CLI:

 

diagnose sys tcpsock | grep '8008\|8010\|8015\|8020'

 

Screenshot 2025-04-23 200621.jpg

 

The solution, in these cases, is to disable these ports or to change the ports.
Configure at least one port not used by the FortiGate (example: change 8008 by 9008, or 8010 by 9010, or 8020 by 8030).

Example to disable the ports:

 

config webfilter fortiguard
    set close-ports enable
end

 

Example to change the ports:

 

config webfilter fortiguard
    set ovrd-auth-port-http 8008
    set ovrd-auth-port https 8010
    set ovrd-auth-port-https-flow 8015
    set ovrd-auth-port-warning 8020
end

 

Change:

 

config webfilter fortiguard
    set ovrd-auth-port-http 9008
    set ovrd-auth-port https 9010
    set ovrd-auth-port-https-flow 9015
    set ovrd-auth-port-warning 9020
end

 

Related articles

Technical Tip: Webfilter Override for FortiOS 4.0 MR3 and later - INTERNAL.

Technical Tip: How to create local custom override categories in FortiOS.

Labels:
37355
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.