1. The Web rating override works consistently with an override to the 'Custom' Category.

In the CLI, run the following commands:

execute log filter category 3           <----- Web filter category ID.
execute log filter field srcip 192.48.1.2

execute log display

date=2024-12-22 time=13:54:56 eventtime=1734893696235188233 tz="-0500" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="b5737652-bee5-51ef-068b-5b2ac0dd2b1a" policytype="policy" sessionid=879727 srcip=192.48.1.2 srcport=49486 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" dstip=160.153.61.67 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" proto=6 service="HTTPS" hostname="rabudiagnostic.com" profile="Clone of default" action="passthrough" reqtype="direct" url="https://rabudiagnostic.com/" sentbyte=2048 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=140 catdesc="custom1"

2. The Web rating override is inconsistent and does not work as well with standard categories, for instance, under General Interest -> Personal -> Health and Wellness:

Log:

date=2024-12-22 time=13:49:03 eventtime=1734893343179517841 tz="-0500" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=1 poluuid="b5737652-bee5-51ef-068b-5b2ac0dd2b1a" policytype="policy" sessionid=876687 srcip=192.48.1.2 srcport=49451 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" dstip=160.153.61.67 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" proto=6 service="HTTPS" hostname="rabudiagnostic.com" profile="Clone of default" action="blocked" reqtype="direct" url="https://rabudiagnostic.com/" sentbyte=2160 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=61 catdesc="Phishing" crscore=30 craction=4194304 crlevel="high"

3. The inconsistency is observed when the Standard category action is set to 'Allow'.
   
   

    

4. To fix this, change the action on a standard category to 'Monitor'.
   
   

    

Log:

date=2024-12-22 time=13:57:24 eventtime=1734893844393966980 tz="-0500" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=1 poluuid="b5737652-bee5-51ef-068b-5b2ac0dd2b1a" policytype="policy" sessionid=881178 srcip=192.48.1.2 srcport=49504 srccountry="United States" srcintf="port3" srcintfrole="undefined" srcuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" dstip=160.153.61.67 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5465ab26-b41a-51ef-cce7-1754ece7dc2c" proto=6 service="HTTPS" hostname="rabudiagnostic.com" profile="Clone of default" action="passthrough" reqtype="direct" url="https://rabudiagnostic.com/" sentbyte=2016 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" ratemethod="domain" cat=33 catdesc="Health and Wellness"

 Debug commands:

diagnose debug reset
diagnose ips debug disable all
diagnose ips filter clear
diagnose ips filter set "host <client-ip>"
diagnose ips debug enable urlfilter
diagnose debug enable

[3500@22648]urlf_query_fgd: id:2216 sess:22648 action:0 error:0 src:2 host:rabudiagnostic.com url:/ rate_ip:0 ssl_exemption_query:0
[3500@22648]handle_fgd_answer: sess:22648, id:0, action:1, resume:0, error:0, ftgd_category:61, url_category:61, local_category:0, byip:0, log:1, time:0s
[3500@22648]on_rating_done: sess 22648, rate 61, action 1
[3500@22648]ips_eng_log_webfilter: sess:7304496 type:10 action:1 host:rabudiagnostic.com source:2 url:/
[3500@22648]ips_set_pkt_urlf_verdict: action=DROP
 

Related article:

Technical Tip: How to narrow down specific logs from CLI of the FortiGate