Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tpatel
Staff
Staff

Created on ‎05-13-2025 05:06 AM Edited on ‎05-13-2025 05:10 AM By Community Manager

Article Id 391554

Troubleshooting Tip: The FortiGuard Category Threat Feed does not match remote categories in the web filter when the policy is in flow-based mode after upgrading to v7.2.11 and v7.4.7

Description This article describes why URLs that are fetched from the FortiGuard category threat feed do not match Remote Categories in the web filter when the policy is in flow-based mode after upgrading to FortiOS 7.2.11 or 7.4.7.
Scope FortiGate.
Solution

Configuration:

To configure the FortiGuard category threat feed, refer to FortiGuard category threat feed - FortiGate 7.4.4 administration guide
In the example provided, the FortiGuard category thread feed is configured on FortiGate, and the websites are fetched through external resources.

 

patch1.PNG

 

Go to Security Profiles -> Web Filter-> Select the web filter profile.

 

patch2.PNG

 

CLI Configuration:

 

config webfilter profile

    edit "test"
        config ftgd-wf
            unset options
                config filters
                    edit 36
                        set category 192 <----- Remote categories are set to allow.
                        set log disable
                   next
               edit 35
                   set category 52  <----- Information technology category is set to block.
                   set action block
               next
        end

The action for Remote Categories is set to Allow in the web filter, so websites that are fetched from external resources will be allowed by the web filter.
The action for the Information Technology category is set to Block under the FortiGuard category-based filter.

 

Assign a web filter profile in a firewall policy.

 

As the patchmypc.com URL is being fetched using the FortiGuard category threat feed with the Allow action, the traffic should be allowed. However, traffic for patchmypc.com is still matching with the Information Technology category under the FortiGuard category with the Block action, and the traffic is being blocked.

 

Webfilter logs:

 

date=2025-05-10 time=02:24:36 eventtime=1744208676286770668 tz="+1200" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="c43c2c84-13d5-51f0-876e-418aba198e1f" policytype="policy" sessionid=433 srcip=192.168.12.2 srcport=53802 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="6c5e1e50-13b2-51f0-7678-6b6fcef136c5" dstip=172.67.7.92 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="6c5e1e50-13b2-51f0-7678-6b6fcef136c5" proto=6 service="HTTPS" hostname="patchmypc.com" profile="test" action="blocked" reqtype="direct" url="https://patchmypc.com/" sentbyte=1755 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=52 catdesc="Information Technology"

 

Workaround:

  1. Change the web filter inspection mode to Proxy mode instead of Flow mode, and also change the firewall policy to Proxy mode.
  2. Another workaround is to use 'http://' or 'https://' in the URL, then it will match with Remote Categories.
  3. It has been confirmed that this issue will be resolved in v7.4.8.
  4. Remote Categories are matching with the correct action in the web filter on v7.6.
369
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.