Issues blocking the " unrated" category?

jimsokol · ‎10-06-2014

We are considering blocking the unrated category. If any of you have done this, were there any unforeseen side effects we may need to know?

Dave_Hall · ‎10-06-2014

If any of you have done this, were there any unforeseen side effects we may need to know?

Yes. Though we haven' t actually document/detailed every single incident -- we did enable this feature on some of the fgts we remote manage -- we received noting but complaints about legitimate web traffic being blocked, either outright or certain page elements (like graphics being pulled from another domain) missing from the page(s). Also, if I' m not mistaken (someone correct me on this) this option controls how the web content filter should behave in the event that the fgt is unable to contact the FortiGuard services. (e.g. Fortigate loses connect to the FortiGuard service, so it starts blocking all traffic.)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Christopher_McMullan · ‎10-06-2014

Not quite... Unrated is not the same as a rating error. Unrated could simply mean that page hasn' t been evaluated yet or assigned to a category or (far more likely), the IP of the server hosting the page doesn' t have a rating of its own - especially in the case of shared hosting. When the FortiGate fails to get a response from FortiGuard to a website category query, a rating error occurs. The default behavior is to block the client' s session. You can also choose, under the webfilter profile' s advanced settings, to Allow Websites When a Rating Error Occurs. In this case, no one will be denied web access simply because of FGD connectivity issues. This obviously opens up security loopholes which would need to be addressed as quickly as possible, but it wouldn' t nearly be the show-stopper that lack of Internet is. Unrated, by comparison, is normal. You' d likely come across it if you choose to rate URLs by domain and IP. In this case, the website has a rating that could be completely different, not just distinct, from the server IP. For a while, www.callofduty.com and the website for the Embassy of the Republic of India in Washington, D.C. both had sites rated correctly (i.e., Gaming and Government), but the servers hosting them were rated as Dynamic Content. The FortiGate needs a tiebreaker decision on which action to apply: what if you block Gaming but allow Dynamic Content? It used to be that Strict Blocking took the most severe of the actions you apply to the two categories. That was phased out or deprecated over time. The new regime is to give each category a weighting, or a severity. Dynamic Content has a higher severity than Gaming, so the action you apply to Dynamic Content will be the action applied to the session when you rate by both domain and IP. So... -Allow websites when a rating error occurs *AND* -Consider disabling the act of rating URLs by domain and IP, at least temporarily. You should notice a drastic improvement, in that, the complaints will stop coming in. Then you can decide how to address both options.

Regards, Chris McMullan Fortinet Ottawa

Dave_Hall · ‎10-06-2014

Thanks for the clarification on this. " Allow Websites When a Rating Error Occurs" was what I was thinking of. Your suggestion is pretty much how we have it set up now.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

jimsokol · ‎10-06-2014

Thanks for the replies. The reason we are considering adding the unrated category is that some of the recent malware uses just registered, and sometime " trial" domains too new to be rated for their 2 to 3 days infection sprees, only to disappear to another. We were interested if others have had any negative occurrences when they had done the same.

ShrewLWD · ‎10-15-2014

We have UNRATED enabled at our corporate office for that very reason... 0-day exploits hosted on a previously unseen website, then sent via email with a link back to them. Should a legitimate site get blocked, Fortinet' s rating/categorization request is painless and typically takes no more than about 4 hours. You could create a whitelist in your webfilter policy, and add sites blocked, until the rating is verified and updated.

jimsokol · ‎10-16-2014

We had previously created a " LocakOk" category to take care of either misclassified sites or local deviations from categories we already block, like porn, gambling, etc., and have the web filter profile set to allow anything in that category. We have 600+ Fortigates, so usually proceed with only taking baby steps prior to any mass change. Thanks for the info on the recategorization turnaround.

bmann · ‎10-21-2014

In general I think that IP rating is deprecated. With hundreds of web pages on one server, the IP rating will be different and the web itself.

I'm not sure how are CDN classified, but I would expect some general category.

I would keep IP rating disabled at all.

To disable "unrated" is possible way and more likely useful for mentioned reason. My observation:

- major sites are classified and will work

- definitely you will reach some unclassified, mainly when searching with google etc. That would be sites with lower visits ....

- in this case I would instruct users how to request rating of the site over web link

- for "emergency" cases I would use some whitelist on FG itself

One question is how legitimate is when user browses over unrated sites in office hours ... more likely it will depend on type of duties .....

DataPartnerInc · ‎10-25-2014

Another thing that might help is local Security Profiles>Web Filter>Rating Overrides where you can re-assign a host or URL to a specific category you choose to match existing web filtering profile, and even using wild cards, although that does introduce some risk.