Prior to upgrade from 5.6.11 to 6.0.9, I had a Local Rating Override of site "{redacted}-VPN.com" from FortiGuard Category "Proxy Avoidance" to Local Category "VPN". I then allowed the "VPN" Category is a Web-filter Profile associated with firewall rule. However, after the upgrade, this override is no longer working and access to site is denied.
Note: access is denied for HTTPS request, while HTTP requests are allowed.
Is 6.0.9 doing rating overrides differently, and is so, how to effect it?
Here's configuration in 5.6.11: config webfilter ftgd-local-rating edit "{redacted}.com" set rating 140 next end config webfilter ftgd-local-cat edit "VPN" set id 140 next : end config webfilter profile : edit "Clone of default" set comment "Default web filtering." set inspection-mode flow-based config ftgd-wf set options rate-server-ip set category-override 140 config filters : edit 88 set category 140 next : end end next end After upgrade to 6.0.9, the configuration's identical except that "set category-override 140" doesn't exist. (FortiOS CLI Reference for 6.0.9 is no longer showing "category-override" parameter.)
config firewall ssl-ssh-profile edit "certificate-inspection" set comment "Read-only SSL handshake inspection profile." config https set ports 443 set status certificate-inspection end config ftps set status disable end config imaps set status disable end config pop3s set status disable end config smtps set status disable end config ssh set ports 22 end next end
Also, the traffic to the site is now denied: FWF # execute log filter dump category: webfilter device: disk start-line: 11 view-lines: 10 max-checklines: 0 HA member: Filter: Oftp search string: FWF# execute log display 35 logs found. 10 logs returned. 1: date=2020-05-30 time=01:10:09 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1590765009 policyid=1 sessionid=614 srcip={redacted} srcport=51237 srcintf="wire_less_ssw" srcintfrole="lan" dstip={redacted} dstport=443 dstintf="wan2" dstintfrole="wan" proto=6 service="HTTPS" hostname="{redacted}-VPN.com" profile="Clone of default" action="blocked" reqtype="direct" url="/" sentbyte=517 rcvdbyte=1460 direction="incoming" msg="URL belongs to a denied category in policy" method="domain" cat=59 catdesc="Proxy Avoidance" crscore=40 crlevel="high"
I don't remember how 5.6 config looked like for web category filtering. But at least with 6.0, all allowed category wouldn't show up under "config webfilter profile/edit "VPN"" because "Allow" is the default action in the file so you can't even set "set action allow" under "edit xx". Do allow that category in CLI, you need to remove that entry.
If you have doubt, just create a new profile and set all categorioes to "Allow". You should see almost empty profile. Since you allowed "VPN" category, it's expected not showing up there.
By the way, does this happened to be HTTPS site? And are you enabling at least "certificate-inspection"? I think it started being required since 6.0.
Thanks for taking time to answer...
> And are you enabling at least "certificate-inspection"? I think it started being required since 6.0.
doesn't above "config firewall ssl-ssh-profile" show this?
At the policies.
For posterity,.. acknowledged by Fortinet as a fault with TLS 1.3 sites, but, won't be fixed in 6.0.x.
I also had this issue, what resolved it for me was creating a new SSL/SSH Inspection under Security Profiles.
Set it to Full Inspection and under Exempt from SSL Inspection put your web categories, for me it populated all the ones that were enabled just had to add the custom white list that I had created. The image below was taken from the system I just got working, let me know if this works for you.
Do you think that's baked into 6.0.10? Upgrading firewalls to 6.0.10 soon
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.