Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hamdi_kadri
New Contributor

Fortigate Web Filter fails to block Facebook on Google Chrome

This is a weird phenomena I noticed today : even though Social Networking Sub-category is set to "block" on Web Filter, users who use Google Chrome still have access to it.

I tried with Firefox and Opera and Web Filter works properly.

Changing my settings to use Explicit proxy, I can get to block facebook with no problems. But if I apply my Web Filter Profile to the ACL, facebook bypasses the Web Filter.

I even blocked everything on my Web Filter profile, added a wildcard filter, etc.. it didn't work with facebook.

My firmware is v5.4.8,build1183 running on a FG30E.

Any ideas ?

 

UPDATE : I tried with another firmware version (v5.2.10,build742) on another appliance (FG500D) and WebFilter is working properly. Can someone else confirm the issue with v5.4.8,build1183 ?  My real concern is that the appliance is in production and I can't upgrade without being sure that it will solve the issue.

Hamdi KADRI
Hamdi KADRI
7 REPLIES 7
sw2090
Honored Contributor

Yesterday I got notified by some user that they can access Facebook to even though category is blocked like in your case. So maybe we have the same problem on FGT9x and FGT100E wih 5.4.x .

 

Did you already open a case with Fortinet Support on this?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

Ok since we seem to have that same issue (facebook blocked by webfilter by fortiguard AND local category but still accessible) I now opened a ticket with Fortinet Support. We'll see what they will say...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

On this last ticket Fortinet TAC and we came to the conlusion that it might be due to useing securtiy profile groups.

So we meanwhile have eliminated those.  Thus we still encounter this issue and it does not only affect Facebook but also some R-Rated Sites which also are not blocked by cathegory.

So this is still an issue at least in 5.4. So I opened a new Ticket with TAC. We'll see what comes out.

I will also  - if I find the time to - do a test on 5.6 with some fortigate ( I now have some non productive here I can use)

 

I'll keep you updated.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

My FGT are in Proxy based inspection mode already. Atm it looks like if the cathegory based filtering does not work at all with chrome.

UPdate: also does not work in Edge. IE is not available on my clients...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

ok more updates.

During my tests I found this out:

 

webfilter works in 5.4.3 or higher if you enable http in the proxy profile that is enabled automatically when you enable webfilter profile in a policy. Per factory default this is disabled (dunno why...)

This however does not work for https! I got it to work for https by enabling SSL inspection with our certificate installed (to not get certificate warnings since its ca is distributed here) with some default settings. 

 

Set up this way it even blocks facebook.de or .com with and without https :)

 

So that's not a bug - it's a feature :)

 

I'll let TAC know this too.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Tindrli
New Contributor

The way how it worked for me (I'm on FortiOS 5.6.3 version) was that i had to change Inspection mode to Proxy and then i separated two policies. One policy is for Web filtering and second one is for App filtering. I created new SSL and IPS profile as well. Don't know how it will affect this process but I did it anyways. 

After i created policies i had to log out and log back in to the client computer and after that everything worked as intended. It seems that Web filtering and App filtering don't like each other if they are under one policy.

sw2090
Honored Contributor

ok but this one one hand does not say anything about 5.4. There's may things different between 5.4. and 5.6. 

Also haven't yet gotten any solutions on my ticket wih Fortinet TAC.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors