Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
morbo-198
New Contributor

Created on ‎04-22-2025 11:49 AM

Question about Web Filter configuration with Override and URL Filter in FortiGate

Hi everyone, I have a question regarding how FortiGate handles override of blocked categories in Web Filtering. Let me explain my setup:

I have Web Filtering enabled with a custom profile where the "Streaming Media and Download" category is set to block. The goal is to allow certain users to override the block and access specific sites within that category after authentication.

To do this, I enabled "Override blocked categories" and assigned the built-in monitor-all profile. Inside this monitor-all profile, I kept "Streaming Media and Download" set to block, but I also configured a URL Filter exception, where I added a wildcard like *youtube.com and set the action to "exempt".

The expected behavior is:

  • When a user tries to access YouTube, the override page should appear.

  • The user logs in with credentials.

  • Due to the URL Filter exemption, access to YouTube is allowed.

  • All other sites under the "Streaming Media and Download" category remain blocked.

However, this doesn’t seem to work as intended. The override page shows up, but after authentication, it loops back to the same block page instead of allowing access to YouTube.

Can anyone confirm if this setup is technically correct, or if there's a limitation or step I'm missing to make it work properly?

Thanks in advance!


BlockBlockmonitor-allmonitor-all

Labels:
308
0 Kudos
1 Solution
funkylicious
SuperUser
SuperUser
In response to morbo-198

Created on ‎04-23-2025 11:58 PM Edited on ‎04-23-2025 11:58 PM

ok, i see what you are trying to achieve now.

try switching the inspection mode to proxy-based instead of flow-based, both for web filter and firewall and see if it works with the webfilter asking to Authenticate that you posted in a comment above.

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
113
8 REPLIES 8
funkylicious
SuperUser
SuperUser

Created on ‎04-22-2025 12:27 PM Edited on ‎04-22-2025 12:31 PM

hi,

are the profiles/fw rule in proxy mode ?

L.E. have a look at this, https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-web-rating-override-to/... , i think its similarto what you are trying to achieve.

"jack of all trades, master of none"
"jack of all trades, master of none"
299
morbo-198
New Contributor
In response to funkylicious

Created on ‎04-22-2025 01:08 PM

What do you mean by proxy mode? Are you referring to the "Inspection Mode" option?
If so, both the profiles and the firewall policy are set to "Flow-based".
I'll review the link you shared and let you know the result.

293
0 Kudos
funkylicious
SuperUser
SuperUser
In response to morbo-198

Created on ‎04-23-2025 03:02 AM

well, not exactly.

you are doing something similar but not like described in the KB.

 

to fully implement the example in your case, you would need to create do a web rating override and in it to assign youtube.com to Custom categories and sub-categ custom1 and in your monitor-all policy, the custom1 to be changed to Authenticate instead of Monitor/Allow/Block/Warning etc.

"jack of all trades, master of none"
"jack of all trades, master of none"
214
morbo-198
New Contributor
In response to funkylicious

Created on ‎04-23-2025 12:03 PM

I'm trying to follow the configuration described in this link , but I'm running into an issue with how the override and custom category are behaving. Here's the flow of what happens when a user tries to access a blocked site:

  1. The user opens their browser and tries to visit sports.yahoo.com.

  2. FortiGate inspects the request and detects that the site belongs to a category that is blocked by the main Web Filter profile (test).

  3. Since "Override blocked categories" is enabled, FortiGate switches to the second Web Filter profile (web-filter2).

  4. In web-filter2, I created a custom category (custom1) that includes sports.yahoo.com through a web rating override. This custom category is set to "Authenticate".

  5. As expected, the FortiGate displays the authentication portal. After the user logs in with valid credentials, they can access sports.yahoo.com.

The problem:
Once the user is authenticated, they can also access any other site from the originally blocked category — for example, espn.com, even though it's not part of the custom category. This is not what I want.

To fix this, I tried blocking the original category (e.g. "Sports") again within web-filter2 and leaving only the custom category (custom1) with the action set to "Authenticate". But when I do this, and the user logs in, they’re redirected to another FortiGate block page saying the site is still blocked — even though it’s listed in the custom category. Here are screenshots showing what happens when I follow the steps mentioned above:
1.png2.png3.png

Expected behavior (what I want):
I want the user to be prompted for authentication only when accessing specific sites listed in the custom category (e.g., sports.yahoo.com), and only those sites should be allowed after login — all others in the same blocked category should remain blocked.

Is this possible to achieve with the current override mechanism and Web Filter profiles? Or am I missing a specific configuration step?

171
0 Kudos
funkylicious
SuperUser
SuperUser
In response to morbo-198

Created on ‎04-23-2025 11:58 PM Edited on ‎04-23-2025 11:58 PM

ok, i see what you are trying to achieve now.

try switching the inspection mode to proxy-based instead of flow-based, both for web filter and firewall and see if it works with the webfilter asking to Authenticate that you posted in a comment above.

"jack of all trades, master of none"
"jack of all trades, master of none"
114
morbo-198
New Contributor
In response to funkylicious

Created on ‎04-24-2025 12:12 PM

Thanks, the solution was that the Inspection Mode was configured as proxy-based for both the Web Filter and the policy.

86
0 Kudos
morbo-198
New Contributor
In response to funkylicious

Created on ‎04-22-2025 01:47 PM

 

I checked the link you provided, and it's exactly what I'm doing — and the issue remains the same.
When performing the override to the second web filter profile, it either blocks everything or allows everything, but it doesn't prompt the user again to distinguish whether they want to access only one specific website from the blocked category.

263
0 Kudos
morbo-198
New Contributor

Created on ‎04-23-2025 01:26 PM

I also tested this configuration:

In this screenshot, I show how my current Web Filter profile is configured. The category "Streaming Media and Download" is not shown here, but it's set to Block. If you look under the Local Categories, I have one set to Allow and another to Authenticate.
Bloqueo.png

In this second screenshot, I show how I’ve configured the Web Rating Overrides.
web raiting overrides.png

And in this last screenshot, you can see the Firewall Policy that I'm using.
Policy.png

With this setup, when a user tries to access YouTube, they are able to do so successfully.
However, the issue happens when trying to access hulu.com—the user gets this page:
1.png

After entering the correct credentials, it should allow access to Hulu,
2.png
but instead it shows this again, and the user gets stuck in a loop:
1.png
So as you can see, it only works correctly when the Local Category (for example, "Streaming Permitidas") has the action set to monitor or allow.
But if I set the action to Authenticate or Warning, it results in that same error loop.

163
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.