Tested on version 5.0 Patch 5
By doing the following you can safely test this Fortigate security hole:
1) Under " Security Profile -> Web Filter -> Profiles" , check/enable FortiGuard Categories and block " Adult/Mature Content -> Pornography" .
2) Remember to check the box before " Rate Images by URL (Blocked images will be replaced with blanks)" so that images will be blocked. If this box is not checked you are able to download images from any domains in a blocked category. You can test this if you enable/use this WEB-filter profile in your Policy and try to visiting http://static2.playboy.com/assets/tour/img/home/casting-call-small-dallas.jpg (a safe picture of the American city Dallas).
3) Visit http://static2.playboy.com/. This site is correctly blocked as Pornography.
4) Visit http://static2.playboy.com/assets/tour/css/common.css?cb=134 and download the content. This CSS-file is not blocked.
5) Visit http://static2.playboy.com/assets/tour/js/base/firstload.js?cb=134 and download the content. This JS-file is not blocked.
In this test you are downloading a .css-file and a .js-file from a blocked domain. But the file could be a .zip, .exe, .bat, or anything else as long as it is not a picture or .html/.shtml/.htm-file. I would argue that this is a big security problem.
If you block the Fortigate Category " Security Risk" your clients should be safe from malware from these domains right? Well, they are still able to get infected since malware does not come as HTML-files or pictures.
This means that your clients can visit http://www.orgsite.info/.../cryptolocker.exe or http://www.gumblar.cn/.../flashback.payload or http://www.d99q.cn/../sasser.js and download and run the content and get infected with whatever malware the site host at the time. An infected client can also download updates for the malware it has.
You can argue that this will be stopped by the Fortigate Antivirus or IPS. That would be true if the Fortigate had all of todays and future signatures. Since malware mutate fast, new ones rise every minute and they are often encrypted it would be impossible for the Fortigate to recognize and stop every type of malware from entering your network.
Can you fix this Fortinet?
If I decide to block domains using the " Fortigate Category" , I would like the Web Filter to block ANY web-request to those blocked domains. This is how Sophos UTM and CheckPoint (I have tested them) and probably all the other FW-vendors do it.