Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
menatwork
New Contributor III

[SOLVED-BUG] FortiEMS/Forticlient - massive Webfilter issues for month (not yet solved by support)

Hi folks,

this is no criticism to Fortinetsupport, but I am very interested whether you guys @the forum are having the same issues with Forticlient EMS and the webfilter.

 

I have a open ticket running since June 2022 and did numerous tests, debuglogs, new installs, adapt the installation etc.

 

Situation:

  • Forticlient EMS at Server 2019
  • Sitting in the DMZ
  • Reachable via FQDN from the internet
  • Reachable from internal LAN via FQDN
  • The Forticlient correctly triggers Online-onfabric / Online-off-fabric rules (e.g. I can see that the webfilter is enabled when going off-fabric
  • and here comes the problem:
    • No matter what I do, the webfilter itself is not working properly
    • If I go from onfabric to off-fabric, the webfilter is enabled, BUT
    • it is not filtering anything
    • Sometimes - if I stay off-fabric with the device (e.g with smartphone-hotspot) the webfilter does its job in blocking XXX  sites for example
    • As soon as I start switching networks (off-fabric / on-fabric / off-fabric) the webfilter stops blocking (but being still correctly activated). Sometimes it starts to work after about 10 minutes
    • I tried  it with browser add-ons and without them (Forticlient-addon)

So you absolutly cannot rely on this part of Forticlient, which makes it some kind of insecure!

 

Does no one of you have this troubles? I cannot believe that I am the only one with this situation. Does you Forticlient-Webfilter work (does it block sites when going from on- to off-fabric?)

 

Some feedback woud be great!

Thanks a lot!

 

11 REPLIES 11
Anthony_E
Community Manager
Community Manager

Hello menatwork,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
menatwork
New Contributor III

Hi,

as no one replied it seems like no one have got this issues, or cannot replicate it? Really interesting....

Anthony_E
Community Manager
Community Manager

Hello,

 

I will try to find a FortiClient expert for you, like the other post.

 

Regards,

Anthony-Fortinet Community Team.
btan
Staff
Staff

Hi menatwork,

 

In my personal experience, web filter works reliably (in lab environment). If you have a ticket opened, usually TAC support can assist to check how & why it is not working in your environment. 
I see you have very detailed steps to reproduce, if somehow your case engineer already done checking all from FCT Diagnostic Result but no avail, may I suggest either below:

1. Join one of our lab PC to your EMS to reproduce & investigate the issue
2. Join one of your test machine to our lab EMS with your endpoint profile to reproduce & investigate the issue
This may help narrow down the root cause.

Regards,
Bon
menatwork
New Contributor III

Hi and thanks for your answers!

 

@btan 

 

How can we realize  the point you mentioned -- Number 1: Join one of our lab PC to your EMS to reproduce & investigate the issue

btan

You may open a ticket with us, and suggest this to your case engineer.

Regards,
Bon
menatwork
New Contributor III

So after about 6 month of investigation with TAC, it boiled down to a bug, which will be fixed in 7.2.0 version of Forticlient.

 

I am really wondering that no one of you have got this issue....

bwill
New Contributor

Hey Menatwork,

 

Was your issue ever resolved? You are not alone; we have this problem as well. Our Forti ecosystem uses Client, EMS and Fortigates at the edge. When our users are behind the Fortigate which is connected to the DC with IPSEC, web filtering at the client does not work. When the client is on SSLVPN web filtering does not work. When the client is off network web filtering works. We are in the process of going to 7.2, hopefully it resolves these issues.

 

HTH

menatwork
New Contributor III

hi @bwill It was solved at the moment, when we upgraded to 7.2, but we have had numerous other troubles. Mainproblem is, that the Forticlient is not updating the av-defs as we expected. Some days it is unable to get the updates from the Fortinet-servers. The other day, there is a sandbox connection issue (Saas).

 

I have had tickts open, which never solved it (the update-issue). A few days after we opened the ticket about this, the updates worked again (out of nowhere). I was able to reproduce the problem at my "home-office-workplace" with completly different internet-access and clients. so I am sure the update-problem is "triggered" by fortinetservers (we connect from EU).

 

To be honest I will have to double check whether the webfilter of the Forticlient is still working reliable.

 

I will come back to you as  soon as I have checked it.

Labels
Top Kudoed Authors