Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

Web Filter does not work properly in FortiClient 7.2.X

After upgrading from FortiClient 7.0.10 to 7.2.3, I've noticed that the exclusion list in the Web Filter no longer works.  No changes were made to the web filter policies, web browser plug-in is enabled in the policy and installed on the client, what gives?  My clients are all configured to use the web fliter plugin only when the endpoints are off-fabric, 

sync mode ad check user initiated traffic only are both enabled in their profiles.  I've tried every combination of the three and get the same result.
 

For example, If I try to block Facebook, Twitter, or TikTok using a deny entry for each in the Web Filter Exclusion list, the sites do not get blocked on the client.  I've tried all three exclusion types (Simple, Regular Expression, and Wildcard) and none of them block the sites any longer.

 

I've tried in both Edge and Chrome with the same results.

 

Downgrading back to 7.0.10 resolves the issue.

 

Anyone else experiencing this?

1 Solution
FortiNet_Newb
Contributor

Not sure how I missed it earlier (unless it wasn't listed yet), but it appears to be the below bug that affects versions 7.2.1 - 7.2.3 in combination with the FortiClient Web Filter handling the Wildcard type expressions differently than the FortiGate and FortiClient versions before 7.2.1 do.

 

875298Exclusion list does not work properly with regular expressions.

 

I had erroneously assumed that the FortiClient 7.2.3 web filter would process the filtering types the same way the FortiGate Web Filter does which is outlined here:   https://community.fortinet.com/t5/FortiGate/Technical-Tip-URL-Filter-expressions-for-the-FortiGate/t...

 

Unfortunately, it seems as though the Wildcard filtering type does not behave the same way in the FortiClient 7.2.1+ web filter as they do in earlier versions of FortiClient (or as they do in a FortiGate web filter profile).  I was finally able to block websites using FortiClient 7.2.3 by using the Wildcard type filter and using it in the format of *Website.com, using *.Website.com would NOT block Website.com as was the previous behavior.

View solution in original post

3 REPLIES 3
AEK
Honored Contributor II

Your issue may look like the below bug that affects version 7.2.3.

962502  Web Filter does not respect exclusion list when imported from FortiGate with web category overrides.

 

AEK
AEK
FortiNet_Newb

I saw that too and should have mentioned that I'm not using an imported web profile.  I double checked, and there are no imported profiles at all listed in EMS.  Just to be safe I created an entirely new web profile in EMS to test just blocking Facebook and it just doesn't work in 7.2.X.

FortiNet_Newb
Contributor

Not sure how I missed it earlier (unless it wasn't listed yet), but it appears to be the below bug that affects versions 7.2.1 - 7.2.3 in combination with the FortiClient Web Filter handling the Wildcard type expressions differently than the FortiGate and FortiClient versions before 7.2.1 do.

 

875298Exclusion list does not work properly with regular expressions.

 

I had erroneously assumed that the FortiClient 7.2.3 web filter would process the filtering types the same way the FortiGate Web Filter does which is outlined here:   https://community.fortinet.com/t5/FortiGate/Technical-Tip-URL-Filter-expressions-for-the-FortiGate/t...

 

Unfortunately, it seems as though the Wildcard filtering type does not behave the same way in the FortiClient 7.2.1+ web filter as they do in earlier versions of FortiClient (or as they do in a FortiGate web filter profile).  I was finally able to block websites using FortiClient 7.2.3 by using the Wildcard type filter and using it in the format of *Website.com, using *.Website.com would NOT block Website.com as was the previous behavior.

Labels
Top Kudoed Authors