unfortunately that doesnt work. I tried it, the logs showed 2 blocked packets, then success to a different address and the website came up. I am going to have to open a support ticket on this I think.

Just go through this and you will get the idea on how to do it.

What you did failed exactly because it had no ssl inspection as you said. Also don't forget to block google's new quic protocol.

so many people are struggling with this because of their quic thing now..we should have a sticky post with a checklist for webfiltering.

thanks, I will give it a try

Did you figure this out? I haven't gotten it working yet either, but I did just disable QUIC. I opened a support ticket to ask FG, but didn't know if you had it working to block the "unblocked" Google sites yet, yet leave all the other Google sites open.

Mbutler522010 wrote:

unfortunately that doesnt work.

FG60C (root) # show firewall policy 18 config firewall policy     edit 18         set srcintf "any"         set dstintf "any"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set logtraffic all         set comments "Block Ads"         set av-profile "Block_Virus_Botnet_AV"         set webfilter-profile "Block_Ads_Security_WF"         set application-list "Block_Botnet_AppCtrl"         set profile-protocol-options "default"         set ssl-ssh-profile "Deep-inspection with HSTS Exception"     next end

FG60C (root) # show webfilter profile Block_Ads_Security_WF config webfilter profile     edit "Block_Ads_Security_WF"         set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override             config override                 set ovrd-scope ask                 set ovrd-dur 2h                 set ovrd-user-group "Local Users Group"                 set profile "monitor-all for override"             end             config web                 set urlfilter-table 1             end             config ftgd-wf                 unset options                 set category-override g01 g02 g04 g05 g06 g07 g21 142 140 141                 set ovrd 8 13 14 g05 17                     config filters                         edit 17                             set category 17                             set action block                         next                         edit 26                             set category 26                             set action block                         next                         edit 61                             set category 61                             set action block                         next                         edit 86                             set category 86                             set action block                         next                         edit 87                             set category 13                             set action block                         next                         edit 88                             set category 8                             set action block                         next                         edit 89                             set category 14                             set action block                         next                     end             end     next end

FG60C (root) # get webfilter urlfilter *id    ID. 1  Block_Ads_Security_WF    FG60C (root) # show webfilter urlfilter 1 config webfilter urlfilter     edit 1         set name "Block_Ads_Security_WF"             config entries                 edit 1                     set url "s.yimg.com/gs/apex/mediastore/*"                     set type wildcard                     set action block                 next                 edit 2                     set url "sites.google.com/site/unblockedgames4me"                     set type wildcard                     set action block                 next             end     next end

FG60C (root) # execute log filter reset FG60C (root) # execute log filter category utm-webfilter FG60C (root) # execute log filter field urlfilteridx 1

Now, from my machine, X.X.25.70, issue :

$ curl -ik https://sites.google.com/site/unblockedgames4me :

        <p>           The page you have requested has been blocked, because the URL is           banned.         </p> :

On Fortigate get:

FG60C (root) # execute log display 11 logs found. 10 logs returned. 1: date=2015-12-09 time=17:02:32 logid=0315012544 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=1 urlfilterlist="Block_Ads_Security_WF" policyid=18 sessionid=463855 user="" srcip=X.X.25.70 srcport=54357 srcintf="internal4" dstip=203.13.161.86 dstport=443 dstintf="wan1" proto=6 service=HTTPS hostname="sites.google.com" profile="Block_Ads_Security_WF" action=blocked reqtype=direct url="/site/unblockedgames4me" sentbyte=102 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high :

[Edit: corrected URL]

Sorry for the late reply, but mine still doesn't work. What settings do you have for your "set ssl-ssh-profile "Deep-inspection with HSTS Exception" profile? I believe that might be my issue. With only "set status certificate-inspection" instead of full/deep inspection, then my FG won't block by the wildcard in the Google site URL. If I enable Full (deep) inspection, then Google complains about HSTS issues. How did you get past that issue? 

Thank you so much!!! I am much closer on this now. It seems like many websites use HSTS, so if I want to use wildcard URL filters on HTTPS sites, then I should use Full/deep inspection to block the sites I want to block...but then I still need to exempt most everything else. So that's where I'm at now, trying to figure out all the sites I need to exempt. But this is so much closer to blocking the 'unblocked' Google sites - so thank you!!!