Cannot apply default webfilter-profile to external Firewall policy. It fails with no error and I am not sure what I am doing wrong or how to correct this problem. I am following the guide below while using FortiManager Cloud:
I can apply the below settings:
application-list - default
av-profile - default
ips-sensor - default
ssl-ssh-profile - deep-inspection
However, when I configure:
webfilter-profile - default
The policy fails to apply with no error, see log below:
Solved! Go to Solution.
I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.
Hi,
Verify the inspection mode on the firewall policy is flow/proxy and the feature set on the webfilter profile is flow/proxy. Make sure to have it same
All policies and profiles are set to Flow already
Hi @cschmidt-leolabs ,
Also please run the following commands before push:
diag debug cli 8
diag debug enable
Once you are done with the Push on FMG, disable the debug on FGT:
diag debug disable
diag debug cli 3
Then please share the outputs for further investigation.
I setup the debug messages but I'm not sure if I can see what the issue is from them...
testsr-fortigate # diag debug cli 8
Debug messages will be on for 15 minutes.
testsr-fortigate # diag debug enable
testsr-fortigate # 0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: config firewall policy
0: edit 8
0: set webfilter-profile "default"
0: next
0: end
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: config firewall policy
0: edit 8
0: set webfilter-profile "default"
0: next
0: end
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get sys status
0: get system central-management
0: get system ip-conflict status
0: get sys status
0: get system central-management
0: get system ip-conflict status
Hello
Can you confirm if the default web filter profile on the FortiGate and is synced with FortiManager. Also check if it's in the correct VDOM
They look the same but I have more profiles i Fortimanager than I do on the Fortigate.
I am not using any VDOMs
I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.