FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 191998

Description

 
This article describes an error that may occur while trying to rate a particular web filtering service, resulting in the user seeing a 'Web Page Blocked' message when accessing the internet.
 
'An error occurred while trying to rate the website using the webfiltering in FortiGate' indicates that the FortiGate firewall is unable to determine the category of a website using the FortiGuard web filtering service. This can lead to the website being blocked, even if it is not inherently malicious.

This may be caused by:
  • An issue about the rating of the FortiGuard Web Filtering feature.
  • The expiration of the Web Filtering license.
  • Inability to reach the FortiGuard server for web filtering rating.

 

To confirm FortiGuard servers are reachable, try to ping the following hostnames:

 

execute ping service.fortiguard.net

execute ping update.fortiguard.net

execute ping guard.fortinet.net

execute ping securewf.fortiguard.net [ for HTTPS service ]

 

If the hostname is not resolving or ping is not working, refer to this KB article: Troubleshooting Tip: Unable to connect to FortiGuard servers.

 

Failed to respond.PNG


Scope

 

FortiGate.

Solution

 

This will enable users to access websites even when a rating error occurs, allowing the FortiGate unit to utilize the FortiGuard Web Filtering database stored on the unit to rate the website.


This is applicable even if the FortiGuard Web Filtering license has expired, but it will not allow access to the latest update from the FortiGuard service.
 
Scenario 1:
Go to Security Profiles -> Web Filter, select the Profile to use, and under 'Rating Options' enable 'Allow Websites When a Rating Error Occurs'.

shreddy_FD33528_tn_FD33528-2.jpg
 

In CLI:

 

Screenshot 2025-09-18 083747.png

 

From v7.4 and above, the option for changing the 'Allow website when rating error occurs' has changed. The following option shown in the screenshot below needs to be disabled or enabled to either enable or disable the option for rating error.

 

1.jpg

 

Scenario 2:

When checking the 'diagnose debug rating', two servers were seen:

 

image (1).png

 

If the servers show 'F' under Flags, this indicates that the server has not responded and considered to have failed. 

 

To resolve, the FortiGuard settings can be adjusted to the following:

 

config system fortiguard

    set fortiguard-anycast disable

    set protocol udp

    set port 8888

    set sdns-server-ip 208.91.112.220 173.243.140.53 210.7.96.53

end

 

For the detailed 'diagnose debug rating' flags description, refer to Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers).

 

Related article:

Technical Tip: Web Page Blocked using WebFilter when failed to connect to FortiGuard