Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gerry
New Contributor

No webfiltering on new interface

We' ve change ISP so have set up a new interface for the new ISP. I' ve duplicated the existing policies to point to the new WAN interface, disabled the existing policies and edited the static route so now all traffic is going through the new ISP. In the outgoing policies I' ve enabled UTM but for some reason the webfiltering is not taking affect. If I create a temporary static route to send a test PC out through the old ISP interface the correct webfiltering is applying but it will not apply through the new ISP. Is there somewhere else this needs to be set to take effect, maybe in the CLI? Running V4 MR3 Patch 10. Have tried a reboot and have moved some of the new rules both above and below the old ones but it makes no difference. Any help greatly appreciated gR
10 REPLIES 10
Deepak_Barsopiya
New Contributor

check the session monitor to view traffic on which policy is triggering
Gerry
New Contributor

The problem is the policy isn' t triggering Rgds
Dave_Hall
Honored Contributor

Have you confirmed that the WAN interface to the new ISP is up and checked the routing monitor to confirm there is a route going through it? If the new WAN port is up, you may want to perform a " diag hardware deviceinfo nic <wan interface>" on the CLI to see there are any errors on the port which could indicated a duplex/speed mismatch. Unless you are planning to perform load-balancing or create a backup WAN connection, what is preventing you from simply connecting the ISP connection to the existing WAN port?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Gerry
New Contributor

Hi New wan interface is up and all traffic is going through it. The only thing not working is the UTM web filtering, even though its enabled on the interface. We have the old wan interface disabled but want to leave it in place in case we have to roll back for any reason. Rgds
Dave_Hall
Honored Contributor

Is the fgt using the DNS for the new ISP on that WAN port? Because not all DNS servers will (or should) not allow connections from outside their domain. DNS plays a big part in FortiGuard Web and URL filtering. If the fgt can not reach the DNS servers nor reach the FortiGuard servers it may either block the connection or allow all traffic (e.g. disable web filtering). If the new WAN interface is configured for either DHCP (or PPPoE) make sure the DNS override is enabled on the connection.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Gerry
New Contributor

Hi Fortigate is using Google DNS servers, the status of the UTM services is connected, all have green ticks. I' ve pretty much duplicated the old rules for the new WAN, I can' t see any differences that' s why I was wondering if there was additional configuration in the CLI that I may be missing ( I' m not familiar with the CLI options) Thanks for the suggestions, appreciate your time. Rgds
Dave_Hall
Honored Contributor

Perhaps it will help us if you provided the config settings for the Interfaces and firewall policies...you can do this by entering on the CLI the following commands (one at at time...and make sure you mask-out any identifying outside IP addresses): show system interface show firewall policy

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Fullmoon

kindly check if NAT was enabled in your new policies created

Fortigate Newbie

Fortigate Newbie
Gerry
New Contributor

A big thanks to all for the help. On exporting the firewall rules I could see the web filter policy was missing from the new wan rules. I had assumed enabling UTM was all that was needed as Chrome was not displaying the additional options to select the individual security policies. I connected through Firefox and got the additional options, all working now. Thanks again gR
Labels
Top Kudoed Authors