Description
This article describes the scenario where the FortiGuard Web Filtering option "Rate URLs by domain and IP address" is enabled.
In this situation, the rating response from an FortiGuard Distribution Server (FDS) for a particular URL might differ from its IP address. This is very common in scenarios of Virtual Hosting, where one IP address of one physical server will host multiple services and URLs.
Therefore, if the IP address rating belongs to a blocked category, the access to the URL will be blocked regardless of the rating of the URL.
Summary
How to check if an URL gets two different ratings, one for the IP address, and one for URL
FGT# diag test application urlfilter 3 (only works if WEB filtering cache is enabled)
FGT # diagnose test application urlfilter 3
Saving to file [/tmp/urcCache.txt]
Cache Contents:
-=-=-=-=-=-=-=-
Cache Mode: TTL
Cache DB Ver: 93.4437
Domain |IP DB Ver T URL
29000000|34000000 93.4437 E http://www.mytestrating.fr/
34000000|34000000 13.28635 E http://www.fortinet.com/
FGT# config firewall profile
FGT# edit TEST
FGT# (TEST) get
ftgd-wf-enable :
g01 Potentially Liable:
1 Drug Abuse
2 Occult
3 Hacking
4 Illegal or Unethical
5 Racism and Hate
6 Violence
57 Marijuana
58 Folklore
[...]
g07 Business Oriented:
49 Business
50 Information and Computer Security
51 Government and Legal Organizations
52 Information Technology
53 Armed Forces
[...]
How to make a live verification of rating response
FGT# diag debug enable
FGT# diag debug application urlfilter -1 (.........to stop it : diag debug application urlfilter 0 )
Solution
If the rating for an IP address blocks access to a site, the solution is to disable “Rate URLs by domain and IP address”.
Related Articles
Rate site by URL and IP address
FortiGuard Web Filtering Override Guide ; configuration examples
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.