Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kubajs
New Contributor III

Created on ‎12-17-2023 10:24 AM

Policy based - URL categories does't work

Hello,
I'm using policy-based mode on FortiGate and I have a problem with URL filtering. I have set up the rules as described here https://docs.fortinet.com/document/fortigate/7.2.0/new-features/472314/allow-web-filter-category-gro... and I have the rule targeting a user group. In the log, I see a deny rule that says the page is Unrated, but on the https://www.fortiguard.com/webfilter site, I can see that the page has a category.

I am sending log:

date=2023-12-16 time=16:33:02 eventtime=1702740782183012282 tz="+0100" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=74 poluuid="7b975724-9285-51ee-f073-60f6db8bd24e" policytype="security-policy" sessionid=180151 user="Domain_user" authserver="FSSO_server" srcip=10.1.1.1 srcport=50104 srccountry="Reserved" srcintf="VLAN" srcintfrole="lan" srcuuid="efa45e5a-56d5-51ee-ff05-d73441199146" dstip=85.207.58.49 dstport=443 dstcountry="Czech Republic" dstintf="wan1" dstintfrole="wan" dstuuid="efa45e5a-56d5-51ee-ff05-d73441199146" proto=6 service="HTTPS" hostname="<website URL>" action="blocked" reqtype="direct" url="<website URL>" sentbyte=563 rcvdbyte=1460 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=0 catdesc="Unrated"

 

I am completely lost :(

Can someone help me please?

Thanks

Labels:
2598
0 Kudos
1 Solution
mle2802
Staff
Staff
In response to Kubajs

Created on ‎12-18-2023 12:59 PM Edited on ‎12-18-2023 01:00 PM

Hi @Kubajs,
Can you tried this command

config system fortiguard
set webfilter-force-off disable
end

Then close browser and try to browse again to see if the website still being blocked. Also after making the change, use "diag debug rating" to confirm if web filter is enabled.

View solution in original post

2503
0 Kudos
15 REPLIES 15
lgupta
Staff
Staff

Created on ‎12-17-2023 11:10 AM Edited on ‎12-17-2023 11:11 AM

Hello Kubajs,

Good day!

As per the logs:

 

"HTTPS" hostname="<website URL>" action="blocked" reqtype="direct" url="<website URL>" sentbyte=563 rcvdbyte=1460 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=0 catdesc="Unrated"

 

You can use the static URL filter: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-static-URL-filter-feature-to-allow...

This way you can bypass that particular website from being inspected.

 

Thanks

 

 

Best regards,

-lgupta



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
1564
Kubajs
New Contributor III
In response to lgupta

Created on ‎12-17-2023 11:25 AM Edited on ‎12-17-2023 11:27 AM

Thank you for your response. I pasted here complete log, but it was marked as spam. I hope that image remains :)

As I wrote, this website https://www.fortiguard.com/webfilter says that my page has a category. But it wasn't problem only for 1 website. All czech website I tried didn't work :(

fortinet.jpg

1561
0 Kudos
hbac
Staff
Staff
In response to Kubajs

Created on ‎12-18-2023 11:54 AM

Hi @Kubajs,

 

Is your FortiGate able to reach FortiGuard servers? What do you see in Web Filter logs? 

 

Regards, 

1528
0 Kudos
mle2802
Staff
Staff

Created on ‎12-18-2023 12:10 PM

Hi @Kubajs,

Look like rating error issue. Can you check web filter log and confirm?

1524
0 Kudos
Kubajs
New Contributor III
In response to mle2802

Created on ‎12-18-2023 12:15 PM

Yes, all websites are logged as Unrated. For exmaple Eset antivir, Adobe,....

1520
0 Kudos
mle2802
Staff
Staff
In response to Kubajs

Created on ‎12-18-2023 12:16 PM

Hi @Kubajs,

Can you try the command "diag debug rating"?

1518
0 Kudos
Kubajs
New Contributor III
In response to mle2802

Created on ‎12-18-2023 12:18 PM

Interesting, it looks like web-filter service isn't working

Service : Web-filter
Status : Disable

1516
0 Kudos
mle2802
Staff
Staff
In response to Kubajs

Created on ‎12-18-2023 12:19 PM

Hi @Kubajs,

Do you have web-filter license? Can you check under system > fortiguard?

1514
0 Kudos
Kubajs
New Contributor III
In response to mle2802

Created on ‎12-18-2023 12:23 PM

Yes, I do.

FortiGuard.jpg

1512
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.