i have to problem that my FGt sems to ignore static url filter on https sites.

 

in Policy webfilter profile is enabled and so is ssl inspection. Deep Inspection os on (since some said that url filtering wil not work if you only have cert inspectiomn on). Though the FGT keeps not applying any url filter rules. 

It only seems to use the cathegories I chose under reputative sites.

 

Even TAC could not yet provide me with a solution...

I noticed the same thing as well.

If seems the FortiGuard category based filter takes precedence over the static url filter.

Some "weirdness" just off the top of my head....

 

This going back to the 4.1 to 4.2 days, where the script conversion process during an firmware upgrade had truncated any object name that a "space" character in the name.  I wasn't around when someone on the team thought it would be a wonderful idea to trigger a firmware upgrade on some 50 fgts via FGR on a Friday - come Monday we were swamped with calls about non-working Internet - Took about 5 minutes performing a diff on the before/after configs to see some our URL filtering labels were "truncated" because they had a space character (e.g. "daytime urlfilter") and a few other places.  Ended up manually fixing (renaming) those labels.

 

Don't know how this happen, but somehow a non-standard character code was introduced in the config file, at about where the url filter section was - would cause the fgt to "choke" and stop processing anything further in that section - same thing would happen if you are manually copying/pasting sections via the CLI and a quote " is missed. 

 

URL filters are processed from top-to-down - with that in mind, someone on the team kept adding invalid URL entries to a URL list - sometimes moving them around, that caused something akin to a wildcard entry at or near the top of the URL list, so no further URL filter rules were processed after that entry.

 

Don't know if this still a problem on later firmware, but if you clone a Webfilter policy, all instance of that original policy will reference the same URL filter list.  (e.g. edit/add an entry to the URL filter list in the cloned policy will show up in the original policy or vice versa. ).  So when or if I need to clone a web filter policy, I ensure afterwards to deselect the URL filter list then reselect it so it gives a fresh (blank) URL filter list.

 

 

 

Is it ok ?

Still not the screenshots I' m looking for.... Do you have SSL/SSH inspection turned on as below?

its 200 D.can you tell me how to enable?

Enablnig SSL interception isn' t a thing you do " for fun" . You need to prepare it : - Install a CA - deploy Ca on domain computer - import ca in fortigate - configure it / do the exception - Check what you want to intercept - and finally, enable the option.. If you not aware with that, I suggest you to don' t enable this feature (or ask to a fortinet partner). An another way to block these website, is to use application control

Do you have SSL/SSH inspection enabled as in my screenshot above?