Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
krusty
New Contributor

Web filtering not performed following Application control

Hello,

 

Hope someone can help here.

 

The fortigate seems to skip web filtering following application control. Is this normal?

 

Thanks in advance.

1 Solution
hmtay_FTNT

Hi krusty,

 

I replied to the PM. Can you enable certificate-inspection under "SSL Inspection"? If you do not enable that, the IPS engine will not scan any SSL sessions.

 

HoMing

View solution in original post

8 REPLIES 8
hmtay_FTNT
Staff
Staff

Hello krusty,

 

If you enabled a Web Filter profile with Application Control, and the App Control action does not drop the traffic, no, it should not skip web filtering. However, if App Control drops the traffic, then Web Filter will not apply. How did you test your policy? Can you send me your configuration file and let me know which policy ID are you using?

 

HoMing

Iescudero

Hello!

Application Control and IPs were applied before web filter, so this is a normal behaviour.

 

krusty

Hi,

 

I've PM'ed you the config.

 

Following application control we can still get to the blocked sites.

 

Thanks

hmtay_FTNT

Hi krusty,

 

I replied to the PM. Can you enable certificate-inspection under "SSL Inspection"? If you do not enable that, the IPS engine will not scan any SSL sessions.

 

HoMing

PDG
New Contributor

Are you using Proxy or flow mode?

 

Did you checked the following Settings?:

 

config firewall profile-protocol-options 

config http 

set Status enable # <- this must be enabled ; otherwise webfiltering AND AV won't work

end

next

end

 

 

krusty
New Contributor

Hi,

 

Thanks for the response.

 

It is in proxy-based mode.

 

config firewall profile-protocol-options is not enabled. Will this cause a loss of access on other policies if I enable it?

 

Cheers

 

 

PDG
New Contributor

Hi Dan, you have to enable it for every protocol you'd like to scan. Otherwise in proxy mode no av+webfiltering will work. By default it should be enabled. I had also one unit/firmware there it was disabled by default. Cheers, Patrick
krusty
New Contributor

Enabling certificate inspection worked.

 

Thanks for your help guys!! :)