Description

This article describes how to fix if the web rating override on a Web Filter profile is broken with the configured action after an upgrade to v7.2.11, v7.4.6, v7.4.7, v7.6.1, and v7.6.2.

Scope

FortiGate v7.2.11, v7.4.6, v7.4.7, v7.6.1, v7.6.2 with flow-based web filter.

Solution

Custom Category:

Web Filter Profile:

Firewall Policy:

When accessing the website (doh.dns.apple.com), the FortiGuard Block Page is encountered. The website category should be 'Allowed_Custom'.

This issue only affects firewall policies with flow-based inspection.

Workaround:

Configure a dummy Custom Category and Web Rating Override/Local Rating. Copy and paste the command below into the CLI.

It will still work after it is deleted. Alternatively, delete and re-add one of the existing web rating categories and ratings. If the FortiGate was rebooted, apply the workaround again.

config webfilter ftgd-local-cat
    edit "dummy-cat"
        set id 190
    next
end

config webfilter ftgd-local-rating
    edit "dummy.local"
        set rating 190
    next
end

config webfilter ftgd-local-rating
delete "dummy.local"
end

config webfilter ftgd-local-cat
delete "dummy-cat"
end

The website is accessible:

This issue is tracked by internal issue ID# 1118132. The issue is resolved in v7.6.3 and v7.4.8, and scheduled for resolution in v7.2.12. See v7.4.8 FortiOS Release Notes.