The user may come across the following unexpected configuration, where FortiManager is trying to set the status of “webfilter-force-off” to 'enable' during an installation, even if it is not intended to be in an 'enabled' state.

config system fortiguard

    set webfilter-force-off enable

end

'webfilter-force-off' status is set to 'disable' as verified on the Policy & Objects page.

This issue can generally happen if there are any System Templates assigned to the device where the 'FortiGuard' section within the System Template is disabled.

If the 'FortiGuard' section is not enabled, FortiManager by default will attempt to enforce the following parameters, which may override the ADOM policy level configuration.

config system fortiguard

    set antispam-force-off enable

    set webfilter-force-off enable

end

To rectify this, enable the 'FortiGuard' section within the System Template or create a new System Template while enabling 'FortiGuard'. Subsequently, FortiManager should no longer override the ADOM policy level configuration and set the status of 'webfilter-force-off' to 'enable'.