Hey There,

I have found a bug with FortiClient 5.6.1 where it's assuming policies set by my organization that it should not be doing. Namely, the web filtering of "Newly Observed Domains". This feature in the FortiClient, which I'm testing as a replacement for 3rd party antivirus, is triggering too many false positives alerts. I purposefully have this disabled on my FortiGate policies for this reason. I have tried to disable this feature many times on the FortiClient, but it seems to ignore any attempts I do to turn this feature off and will always remain in a "deny access" state.

Application: FortiClient 5.6.1

Platform: Windows 10 (Build 1709)

Application: FortiClient EMS 1.2.2

Platform: Windows 2016

Steps to reproduce:

- Login to FortiClient EMS and setup a profile that does not use web filtering.

- Setup the AntiVirus profile with default options. Enable "Block access to malicious websites"

- Register a FortiClient to use this profile. FortiClient insallation would need Antivirus and Web Filtering.

Expected behaviour:

- Browse to a website Fortinet classified as "newly observed domain"

- Be granted access to such sites

Observed behaviour:

- FortiClient will block access to the site with a Fortinet Splash page saying category is blocked by FortiClient Administrator

- Since a "newly observed domain" is not a malicious site, there is no reason why this page should be blocked. You will see later on there is no way to bypass this issue.

These classifications of Malicious Websites are required for the Web Filter engine to be installed on the FortiClient, but does not require to have the FortiClient EMS to have web filter enabled. That being said, I would expect the ability to disable this feature in the webfilter.

Steps to reproduce:

- Open the profile above in FortiClient EMS

- Enable the Web Filter portion of the webfilter

Expected behaviour: 

- Have the ability to granular control "newly observed domains"

Observed behaviour:

- There is no UI option to configure this item.

After a little digging, I found the webfilter id being used by the FortiGard service which is listed here http://help.fortinet.com/...reCatalog-sec-pro.htm. I then attempted to modify XML file to make the necessary changes. Since there wasn't a UI option for the Exploit Prevention option in EMS yet, XML was a good way to enable this on the client side.

Steps to reproduce:

- Open the profile in FortiClient EMS and edit the XML Configuration

- Browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

Observed behaviour:

- Website still being blocked.

Thinking "that's really weird. I should be able to use this site now. The configuration I push says I should. Is it not following these settings?" So I decided to take the client out of managed mode and do some stand alone testing

Steps to reproduce:

- Install a FortiClient in standalone mode with web filtering enabled

- Enable "block all access to malicious websites" on the antivirus portion of the configuration

- Backup the FortiClient configuration to disk using the FortiClient File -> Settings menu

- Edit the FortiClient configuration, browse the XML tree for Webfilter -> Profiles -> Profile -> Categories -> Category

- Located where category id is 90

- Change action from "deny" to "monitor" or "allow"

- Save the changes

- Restore the configuration changes back into FortiClient

Expected behaviour:

- Changing the "newly observed domain" into a more permissible state will allow site navigation

- Making a new backup configuration of the restore config would reflect the changes I made

Observed behaviour:

- Website still being blocked.

- Making a new backup configuration of the restore config will actually show the category id 90 reverted to a deny state