Description
This article describes how to troubleshoot an issue where, when troubleshooting web filter issues, the FortiGate is unable to categorize URLs.
Scope
FortiGate.
Solution
Verifying the ping connection to the FortiGuard service is successful:
- service.fortiguard.net.
- update.fortiguard.net.
However, executing the following command returns an error message:
diagnose debug rating
Locale : english
The service is not enabled.
FGT#
Locale : english
The service is not enabled.
FGT#
Verify the FortiGuard configuration status:
If 'webfilter-force-off' is enabled, set it to disable:
show system fortiguard
.
.
set webfilter-force-off : enable
.
.
set webfilter-force-off : enable
If 'webfilter-force-off' is enabled, set it to disable:
set webfilter-force-off disable
The web filter service remains disabled, despite how the web filtering profile with SSL/SSH inspection is applied to at least one firewall policy.
Ensure that 'FortiGuard Category Based Filter' is enabled under the web filter profile.
Once the 'FortiGuard Category Based Filter' is enabled, servers will be visible under 'diagnose debug rating'.
Note:
Web Filtering in System -> FortiGuard -> Filtering Services Availability will still show as UP even if webfilter-force-off is set to enable, which is why it is important for this setting to be checked via CLI.
Related article:
Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers)
