Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How to trace why a user is not hitting a web filter

I have two FGT200G devices setup in a Cluster and a local Active Directory domain, I use local LDAP to authenticate users and all computers are domain joined and Windows 10/11. I also have a FortiAnalyzer setup for reporting, and web filter policies blocking certain sites.


The issue I am facing is that sometimes users do not hit the relevant Web Filter policy and end up in the Catch All Web Filter, I have been trying to figure out why this is but have no luck.


Is there a way of seeing why the user did not hit the web filter policy? Could it be that the FortiGate did not know the user?


Are you using FSSO or active portal?

If FSSO, which type?




I am using FSSO, I have added 10 user groups below which are assigned to users and used to determine which web filter to hit.



Hi Julian

  • Which FortiOS version?
  • Which FSSO agent version?
  • Windows domain controller version
  • Did it work fine before? If so, what was the last changes you did before it started to fail (firmware upgrade? any config change?...)
  • Do you see the affected users in FortiGate's user monitor (FortiView) at the moment when the issue occurs
  • Do you see the affected users in FSSO agent (user view) at the moment when the issue occurs

I am having issues with getting outgoing SSL VPN setup

  • FortiGate FGT200F-HA1 cluster running v7.2.4 firmware.
  • DUO Authentication Proxy 6.3.0
  • Windows Server 2016
  • FSSO Agent v5.0.0309

The VPN is setup as

  • Users connect to the VPN remotely via FortiClient VPN.
  • All traffic goes though the SSL VPN.
  • User are authenticated via Active Directory username, password, DUO 2-Factor

and must be a member of two groups, one to allow VPN, and the other to determine their web access

  • The DUO Radius server is local.
  • All users are Domain joined and Windows OS based.

my current configuration remote users can connect successfully and 2-factors works, and all users outgoing web access to sites is the same.




What I am trying to do and it not working is to filter the Outgoing traffic based on the users Active Directory group.

I have created more Firewall Policies like the one below but when activated VPN users always hit the first Firewall policy even if they are not in the active directory group.




I have checked the FortiGate Source rules, and it says if the Source types are different then it’s “AND” and if they are the same its “OR”.

So the example should only be met if all sources are met.


Here is my Firewall Policies in sequence, VPN - Elevated is always hit

Firewall Policy Sequence.png



Could this be the issue as the first two sources in the Firewall Policy as Groups so doing an "OR" and not "AND"


Between identical elements, it's a logical OR (e.g. this address or this address).

Between different elements, it's a logical AND (this address AND this group-member AND this MAC-address).



Firewall Policy SOURCE



Hi @julianhaines,


You need to check and make sure the user appears as logged in on the collector agent and FortiGate. Please refer to



Top Kudoed Authors