Hello,
I'm facing the following strange problem with web filtering in 5.6.3. Please notice that the problem appeared after I registered my FG to an FMG for testing purposes, but now FG is deregistered, however the problem persists.
So, it appears that web filtering is not blocking what it should block, and I see log messages saying "FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled." and other messages saying:
no rating service is foundURL TypehttpsMessagePolicy allows URLs when a rating error occurs
Needless to say that Fortiguard is up and running, or at least it seems so in the system's dashboard. I did a check in System > Fortiguard > Filtering Services Availability and got a "Both web filter and antispam services are available".
Does anybody know what's going on here?
Thanks
Solved! Go to Solution.
This might be due to this Mantis Bug #451801.
Double check whether you have a system template applied with your FGT or not.
If yes, double check whether "FortiGuard" widget is there or not. If yes, either enable it or delete it.
If you leave the widget there, and don't check the option "Enable FortiGuard Security Updates", FMG will apply "antispam-force-off" and "webfilter-force-off" with "enable" setting.
Here is some more information I gathered during my troubleshooting:
diagnose debug rating: The service is not enabled :o
config system fortiguard
set webfilter-force-off enable :o
Where the fuck did this command come from??? When I changed to enable, everything in web filtering worked fine.
And why the did the dashboard or the Fortiguard GUI didn't show anything wrong? On the contrary, they showed me that the service was available... I'm pretty sure that the FMG caused all this mess, but I expect that the fortigate's GUI wouldn't fool me.
I'm very much interested in having your experience to similar incidents.
Thanks
This might be due to this Mantis Bug #451801.
Double check whether you have a system template applied with your FGT or not.
If yes, double check whether "FortiGuard" widget is there or not. If yes, either enable it or delete it.
If you leave the widget there, and don't check the option "Enable FortiGuard Security Updates", FMG will apply "antispam-force-off" and "webfilter-force-off" with "enable" setting.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.