Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Category Override not working after upgrade to 6.0.9

Prior to upgrade from 5.6.11 to 6.0.9, I had a Local Rating Override of site "{redacted}-VPN.com" from FortiGuard Category "Proxy Avoidance" to Local Category "VPN". I then allowed the "VPN" Category is a Web-filter Profile associated with firewall rule. However, after the upgrade, this override is no longer working and access to site is denied.

 

Note: access is denied for HTTPS request, while HTTP requests are allowed.

 

Is 6.0.9 doing rating overrides differently, and is so, how to effect it?

 

Here's configuration in 5.6.11: config webfilter ftgd-local-rating edit "{redacted}.com" set rating 140 next end config webfilter ftgd-local-cat edit "VPN" set id 140 next : end config webfilter profile : edit "Clone of default" set comment "Default web filtering." set inspection-mode flow-based config ftgd-wf set options rate-server-ip set category-override 140 config filters : edit 88 set category 140 next : end end next end After upgrade to 6.0.9, the configuration's identical except that "set category-override 140" doesn't exist. (FortiOS CLI Reference for 6.0.9 is no longer showing "category-override" parameter.)

 

config firewall ssl-ssh-profile     edit "certificate-inspection"         set comment "Read-only SSL handshake inspection profile."         config https             set ports 443             set status certificate-inspection         end         config ftps             set status disable         end         config imaps             set status disable         end         config pop3s             set status disable         end         config smtps             set status disable         end         config ssh             set ports 22         end     next end

Also, the traffic to the site is now denied: FWF # execute log filter dump category: webfilter device: disk start-line: 11 view-lines: 10 max-checklines: 0 HA member: Filter: Oftp search string: FWF# execute log display 35 logs found. 10 logs returned. 1: date=2020-05-30 time=01:10:09 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1590765009 policyid=1 sessionid=614 srcip={redacted} srcport=51237 srcintf="wire_less_ssw" srcintfrole="lan" dstip={redacted} dstport=443 dstintf="wan2" dstintfrole="wan" proto=6 service="HTTPS" hostname="{redacted}-VPN.com" profile="Clone of default" action="blocked" reqtype="direct" url="/" sentbyte=517 rcvdbyte=1460 direction="incoming" msg="URL belongs to a denied category in policy" method="domain" cat=59 catdesc="Proxy Avoidance" crscore=40 crlevel="high"

  

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

I don't remember how 5.6 config looked like for web category filtering. But at least with 6.0, all allowed category wouldn't show up under "config webfilter profile/edit "VPN"" because "Allow" is the default action in the file so you can't even set "set action allow" under "edit xx". Do allow that category in CLI, you need to remove that entry.

If you have doubt, just create a new profile and set all categorioes to "Allow". You should see almost empty profile. Since you allowed "VPN" category, it's expected not showing up there.

 

By the way, does this happened to be HTTPS site? And are you enabling at least "certificate-inspection"? I think it started being required since 6.0.

 

 

AlexFeren

Thanks for taking time to answer...

 

> And are you enabling at least "certificate-inspection"? I think it started being required since 6.0.

doesn't above "config firewall ssl-ssh-profile" show this?

 

Toshi_Esumi
Esteemed Contributor III

At the policies.

AlexFeren

Above “firewall ssl-ssh-profile” profile “certificate-inspection“is applied on firewall policies. As I’ve written, override worked in 5.6.11, doesn’t work in 6.0.9. Only configuration changes made were by upgrade migration.
AlexFeren
New Contributor III

For posterity,.. acknowledged by Fortinet as a fault with TLS 1.3 sites, but, won't be fixed in 6.0.x.

MdMan85

I also had this issue, what resolved it for me was creating a new SSL/SSH Inspection under Security Profiles.

 

Set it to Full Inspection and under Exempt from SSL Inspection put your web categories, for me it populated all the ones that were enabled just had to add the custom white list that I had created. The image below was taken from the system I just got working, let me know if this works for you.

 

 

 

AlexFeren
New Contributor III

For posterity, Fortinet TAC supplied Engineering Build IPS Engine. Problem fixed.
MdMan85

Do you think that's baked into 6.0.10? Upgrading firewalls to 6.0.10 soon

AlexFeren
New Contributor III

Original TAC response was that it won’t be fixed in 6.0, however, due to request by “premium TAM customer” (not us), it will be in 6.0.11.
Labels
Top Kudoed Authors