Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sylvain92
New Contributor II

Created on ‎03-21-2025 07:10 AM Edited on ‎03-22-2025 11:57 AM

FortiOS 7.2.x - Web Filtering quota issues - no matching entries found

Hi everyone,

 

I am unsuccessfully trying to implement Web Filter Category quota on my 40F.

 

2 problems: despite time limit set under a monitored category, (1) client device has access to websites falling within that category beyond such time limit. And (2) in the Fortiguard Quota Monitor dashboard, FortiGate displays “No matching entries found” for this client IP.

 

Current setup:

  • License activated;
  • Explicit Proxy features activated;
  • Fortiguard filtering services on port: 8888; no report received after launching connectivity test;
  • Network > Interface: Explicit Proxy (HTTP 8080, no PAC file) on that Vlan (10 clients, 5 laptops, 5 mobiles);
  • Policy & Objects > Firewall Policy in proxy-based for this Vlan to ISP;
  • Policy & Objects > Proxy Policy proxy-based with Web Filtering profile on that Vlan address range;
  • Security Profiles > Web Filter profile on proxy-mode; and
  • Client proxy manually set up with Vlan IP Interface and Explicit Proxy port.

What I can see:

  • Client accessed page is apparently buffered (no immediate streaming);
  • traffic appears in Proxy Policy;
  • the FG displays “no matching entries found” in the Fortiguard Quota Monitor;
  • the FG cannot ping the client device anymore (ie it pinged it before implementing this proxy policy) but still pings FQDN or external; and
  • if Firewall Policy in proxy mode is disabled, then client mobiles connect without being granted internet access.

 

Having been through the Troubleshooting Tip: FortiGuard Web Filtering problems, I am stuck in test 5. For recap and confirmation:

test #1: service enabled, but not sure to understand the meaning of the flags;

test #2: success;

test #3: success;

test #4: success.

 

I also tried to change the listened Explicit Proxy HTTP port to 8888, as well as in the Client settings. The FortiGate just recorded one second of access to the categorized website.

 

Am not an IT guy and am clearly doing something wrong. Hope you’ll give me some corrections/tips to move on.

 

Thanks !

446
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎03-23-2025 10:16 PM

Hello Sylvain,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
378
Anthony_E
Community Manager
Community Manager

Created on ‎03-26-2025 01:01 AM

Hello Sylvain,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
339
Anthony_E
Community Manager
Community Manager

Created on ‎03-28-2025 12:38 AM

Hi Sylvain,

 

If you are encountering the "No matching entries found" message when trying to add or view web filtering quotas in FortiOS 7.2.x, it indicates that no custom quotas or categories have been added yet:

  1. Access Security Profiles: Navigate to the "Security Profiles" section in the FortiGate GUI.
  2. Select Web Filter: Click on "Web Filter" to access the web filtering settings.
  3. Edit Web Filter Profile: Choose the web filter profile you wish to edit or create a new one.
  4. Add Category Usage Quota: In the "Category Usage Quota" section, click on "+ Create New" to add a new quota and define the category and set the desired quota limits.
  5. Save Changes: After configuring the necessary settings, ensure you save the changes to apply the new quotas.
Anthony-Fortinet Community Team.
318
Sylvain92
New Contributor II
In response to Anthony_E

Created on ‎04-03-2025 02:29 AM

Hi Anthony, many thanks for the follow up. Web Filter was set up adequately and selected in the Proxy Policy.

262
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎03-28-2025 12:46 AM

Hi,

I think the issue is in the fact that you are using Explict Proxy , instead of granting access directly to the devices w/o using a proxy.

In the documentation, https://docs.fortinet.com/document/fortigate/7.2.11/administration-guide/801136 , it states that a firewall policy should be in proxy mode and also the web filter and the category in question in Monitor.

Due to the fact that you are using a proxy address on the stations and a proxy policy with defines that traffic is allowed and not using a firewall policy because of that, most likely this would be the reason.

 

"jack of all trades, master of none"
"jack of all trades, master of none"
314
Sylvain92
New Contributor II
In response to funkylicious

Created on ‎04-03-2025 02:57 AM

Hi, thank you for this.

 

Having checked with Support, I am now testing a Firewall Policy in proxy mode together with Explicit Proxy (no PAC file yet) and Category quota working on. Support added a deny firewall policy for quic. Confirmed in Firewall User Monitor showing 1 authenticated client in "Firewall", none in "Proxy". Forti Policies dashboard shows relevant firewall type policies.

 

But, I thought that I needed to set up a purely Proxy Policy to work this out. So if I disable that Firewall Policy in proxy mode and enable the corresponding Proxy Policy (same Web Filter and Category Quotas - except that SSL is set at handshake inspection only), why does this not work ?

The testing device gets internet access without prompting the interface authentication page anymore.

Forti Policies dashboard displays no Proxy type policy and the Implicit Deny Firewall type from root. No Proxy user in dashboard. Quota Dashboard shows the IP of testing device without timing data.

 

I am definitely missing something, as I can't seem to get the difference between a Firewall policy in proxy mode and a "true" Proxy policy. Googled that without success yet.

 

258
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Sylvain92

Created on ‎04-03-2025 05:50 AM Edited on ‎04-03-2025 05:50 AM

hi,

you could have a read here, https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/466137/... 

so basically you have 2 options to grant users access.

1. with a explicit proxy - where the user sets a proxy ip:port in system settings ( +auth optionally ) and then it is granted access, no firewall policy needed, just a proxy policy with UTM profiles ( AV/Web Filter/DNS/etc )

2. with a firewall policy ( either in flow-mode or proxy-mode ) - where the user doesnt have to do anything in system settings , where you need a firewall policy to grant access based on source IP and dst IP/ISDB, also UTM profiles

with the 2nd option there are several options to auth users out there, AD polling/SSO/etc

"jack of all trades, master of none"
"jack of all trades, master of none"
234
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.