The web filter and application control can be set into the same firewall policy for general purpose and regular use. Harmful sites like hacking, weapons,  drugs, etc. can be blocked with a FortiGuard category-based web filter.

In some scenarios, the web filter can be bypassed if there is an application control and it detects the content signature while the web content keeps loading and the application control profile detects the signature is not a high risk. For this scenario, the following logs can be noticed in the traffic log.

Feb 11 07:27:06 10.147.88.126 date=2025-05-16 time=07:43:06 devname="test-fgt-lab" devid="FG60FTK26735555" eventtime=17392552259370751238 tz="+0100" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="VDOM4" appid=56688 user="user1" group="test-group" authserver="test-server" srcip=10.125.2.144 srccountry="Reserved" dstip=104.22.71.139 dstcountry="United States" srcport=58361 dstport=443 srcintf="VLAN4" srcintfrole="lan" dstintf="port1" dstintfrole="undefined" proto=6 service="SSL" direction="incoming" policyid=516 poluuid="c086f25a-7566-51ed-a7b9-a3487h3434k7" policytype="policy" sessionid=1563611290 applist="g-default" action="pass" appcat="Network.Service" app="SSL_TLSv1.3.PQC" hostname="weapon.net" incidentserialno=410187691 url="/" msg="Network.Service: SSL_TLSv1.3.PQC" apprisk="medium" scertcname="weapon.net"

It can be noticed that the application control profile found the category is network service and allowed it after matching the app control signature, which is expected. To avoid this scenario, the following workaround can be followed.

• Using inspection mode proxy-based in firewall policy with deep-inspection.
• Blocking the correspondent signature by application control profile.

Related documents:
Blocking applications with custom signatures
Technical Tip: How to check Application Control category of an application