Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎06-23-2024 11:24 PM Edited on ‎06-23-2024 11:25 PM By Community Manager

Article Id 321892

Technical Tip: Web Filter Rating issue when using Proxy Address for URL category

Description This article specifically focuses on Proxy Address in FortiProxy.
Scope FortiProxy v7.0.x, 7v.2.x and v7.4.x.
Solution

A website https://www.hkcaavq.edu.hk belongs to the category 'Education' but, it got denied because of belongs to the category

'Meaningless Content'.

 

Proxy Address samples configuration:

 

FortiProxy_Proxy_Address.png

 

Run Wad debug while accessing to URL 'https://www.hkcaavq.edu.hk' to check further:


diag wad filter clear
diag wad filter src <x.x.x.x> <----- Client IP address.
diagnose wad debug enable category http
diagnose wad debug enable level info
diag debug en

 

Note:

'diag debug' is to stop the wad debug

 

In the Wad debug log, it shows that the effective category is '55' because the IP-rating is 55 which has a higher weight than 30.

It is then, choosing 55.


[I][p:1053][s:1265766649][r:1586] wad_send_url_request_new :1580 (0-Ok): cnt=1 id=1209() url='hkcaavq.edu.hk'[103.11.228.180] from=10.176.2.144 url-src=HTTP
cate=255 tasks=Rat
[I][p:1053][s:1265766649][r:1586] wad_url_choose_cate :2138 cate=55 (ftgd) ip-cates=[55,]; url=[ # 30,],ip=[ # 55,]; conf addr_rating_ip '':[96,98,99,6
8,69,72,75,83,86,93,37,55,57,59,61,63,1,3,4,6,7,8,11,]
[E][p:1053][s:1265766649][r:1586] wad_http_req_proc_policy :10063 POLICY DENIED

 

Run a CLI command 'get webfilter categories' to show all URL Category:

 

get webfilter categories
g06 General Interest - Personal:
30 Education
55 Meaningless Content

 

Note:

Just list out the sample URL Category

 

The reason for choosing '55' is because 'address-ip-rating' in the protocol option is enabled by default.

 

Proxy-address category default enable ip-rating:


config firewall profile-protocol-options
    edit "Default"
        config HTTP
            set ports 80
            set address-ip-rating enabled (Default)
        end
    next
end

 

In the web Filter profile, the setting of 'rate-server-ip' is disabled by default.

 

Web filter profile default disables IP-rating:


config webfilter profile
    edit "Default"
        config ftgd-wf
            set options rate-server-ip disabled (Default)

 

Note:

When using a Proxy Address for the URL category, it will not use Web Filter Profile settings.

 

Solution Options:

  1. Submit a request to the FortiGuard Web Filter team via https://www.fortiguard.com/faq/wfratingsubmit to re-category IP address to the 'Education' Category or the right category.
  2. Disable the 'set address-ip-rating' in protocol option.
174
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.