Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rzahraoui
New Contributor

FortiGuard Issue

Hi all,

 

I want use web filtering by using Fortiguard.

So, i created a Web filter profile and enabled fortiguard categories and apply it to a given ACL.

The issue is when i test this, all sites are authorized, even if i blocked all the categories on Fortiguard.

 

What can be the cause of this?

 

Fortigate 100D.

FortiOS: 5.2.2 Build642

 

Thanks for help!!

 

 

12 REPLIES 12
bikash_Shaw
New Contributor III

Hi 

I will advise to see the license information in dashborad (license information). Web category will block only http based connection. For blocking https connection please follow link to achieve.

 

http://docs.fortinet.com/d/fortigate-configuring-fortios-v5.0-webfiltering-for-https-scanning-withou...

 

Regards

Bikash 

rzahraoui
New Contributor

Hi,

 

There is no issue with the licence, when i use feltering by URL, blocking access work.

The issue is relataed only to FortiGuard, all http and https access are not blocked in spite of enabling Fortiguard like specifed below.

 

 

Fullmoon

Does the Web Profile applied to the appropriate policy? Don't forget to apply also SSL/SSH Inspection to the policy. Make it sure that HTTPS/443 protocol was selected.

 

Pls see attached file for reference

 

Fortigate Newbie

Fortigate Newbie
rzahraoui
New Contributor

Hi,

 

I have already this autorized and applied but still have the issue.

 

 

Fullmoon

pls check attached file. maybe you can play around Application Control in this case

Fortigate Newbie

Fortigate Newbie
Dave_Hall
Honored Contributor

Hi Zahraoui.

 

Fire wall policy rules are executed from top-down in the firewall chain.  From the screenshot, it looks like you have created an identity (GRP-SECOP) firewall policy -- is this policy near or at the top of the firewall rules list?  A screenshot of the firewall rules list would be nice.

 

Also can you provide more info on WHP-GRP-WEB-SERVICES?  If this custom service is meant to cover HTTP/HTTPS traffic, it should have the source ports set to 1-65535.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
rzahraoui
New Contributor

Hi Dave,

 

No issue about the rule order (this is a test rule), this rule is in the top before other rules more general. And my test user is member of this group / GRP-SECOP

About Service group, it's contain web ports (http, https and also tcp/8000, tcp/8080), but i think that the rule controls just the destination ports and no filtering aplied to the source ports.

 

I note that i use the same group of service with other rules by appling web filter profiles using url filtering and this work perfectly. The issue is just with fortiguard categories.

 

 

 

 

 

Dave_Hall
Honored Contributor

Try sniffing that test user traffic, eg.

 

diag debug reset diag debug flow filter addr <test user IP address> diag debug flow filter proto 6 diag debug flow filter port 80 diag debug flow show console enable diag debug flow trace start 1000 diag debug en

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
soonguan

hi,

try go to config>fortiguard to check which port are reachable to fortiguard server.

There is a "Test Availability" button under "Web Filtering and Email Filtering Options".

Fortigate to access fortiguard to get the category of web filtering using port 53 or 8888.

Besides, you can use following command to check the fortiguard connectivity as well:

FG60DP4614001443 # diag debug rating Locale : english License : Contract Expiration : Sat Jan 2 2016

-=- Server List (Mon Mar 2 09:18:20 2015) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost 121.111.236.180 10 110 9 4480 0 11 121.111.236.179 10 110 9 6509 0 13 62.209.40.74 70 422 1 3701 0 256 62.209.40.73 70 425 1 3674 0 226 62.209.40.72 70 434 1 3714 0 269 80.85.69.40 80 395 0 3669 0 221 80.85.69.37 80 405 0 3696 0 251 80.85.69.41 80 415 0 3680 0 232 80.85.69.38 80 417 0 3711 0 263 66.117.56.42 130 243 -5 3450 0 0 209.222.147.36 130 249 -5 3453 0 3 66.117.56.37 130 252 -5 3456 0 6 209.222.147.43 130 265 -5 3457 0 7 64.26.151.37 130 344 -5 3607 0 157 64.26.151.36 130 344 -5 3608 0 159 64.26.151.35 130 345 -5 3604 0 155 69.195.205.101 130 405 -5 3698 0 253 69.195.205.102 130 413 -5 3708 0 263 96.45.33.64 160 176 -8 3451 0 1 96.45.33.65 160 195 -8 3453 0 3 208.91.112.196 160 213 D -8 3498 0 45 208.91.112.200 160 218 -8 3483 0 37 208.91.112.198 163 2204 DI -8 3596 0 140

FG60DP4614001443 #

 

Regards,

Soon Guan

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors