Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

Web Filter does not work properly in FortiClient 7.2.X

After upgrading from FortiClient 7.0.10 to 7.2.3, I've noticed that the exclusion list in the Web Filter no longer works.  No changes were made to the web filter policies, web browser plug-in is enabled in the policy and installed on the client, what gives?  My clients are all configured to use the web fliter plugin only when the endpoints are off-fabric, 

sync mode ad check user initiated traffic only are both enabled in their profiles.  I've tried every combination of the three and get the same result.
 

For example, If I try to block Facebook, Twitter, or TikTok using a deny entry for each in the Web Filter Exclusion list, the sites do not get blocked on the client.  I've tried all three exclusion types (Simple, Regular Expression, and Wildcard) and none of them block the sites any longer.

 

I've tried in both Edge and Chrome with the same results.

 

Downgrading back to 7.0.10 resolves the issue.

 

Anyone else experiencing this?

1 Solution
FortiNet_Newb

Just updated to FortiClient to 7.2.5 and was pleasantly surprised to find that all of my web filter issues are now resolved.  With the option "Wildcard Match Root Domain" enabled and in the Exclusion list setting Action: "Block", Type: "Simple", and URL as "whateverdomain.com" everything works perfectly now.  It's odd because the release notes disclose the following as a new known issue:

1054211Web Filter exclusion list Action > Block does not work as expected.

However, in my case it now works as expected for some reason, when it didn't in prior versions.  So glad that is now working.

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Your issue may look like the below bug that affects version 7.2.3.

962502  Web Filter does not respect exclusion list when imported from FortiGate with web category overrides.

 

AEK
AEK
FortiNet_Newb

I saw that too and should have mentioned that I'm not using an imported web profile.  I double checked, and there are no imported profiles at all listed in EMS.  Just to be safe I created an entirely new web profile in EMS to test just blocking Facebook and it just doesn't work in 7.2.X.

FortiNet_Newb
Contributor

Not sure how I missed it earlier (unless it wasn't listed yet), but it appears to be the below bug that affects versions 7.2.1 - 7.2.3 in combination with the FortiClient Web Filter handling the Wildcard type expressions differently than the FortiGate and FortiClient versions before 7.2.1 do.

 

875298Exclusion list does not work properly with regular expressions.

 

I had erroneously assumed that the FortiClient 7.2.3 web filter would process the filtering types the same way the FortiGate Web Filter does which is outlined here:   https://community.fortinet.com/t5/FortiGate/Technical-Tip-URL-Filter-expressions-for-the-FortiGate/t...

 

Unfortunately, it seems as though the Wildcard filtering type does not behave the same way in the FortiClient 7.2.1+ web filter as they do in earlier versions of FortiClient (or as they do in a FortiGate web filter profile).  I was finally able to block websites using FortiClient 7.2.3 by using the Wildcard type filter and using it in the format of *Website.com, using *.Website.com would NOT block Website.com as was the previous behavior.

FortiNet_Newb

I lied, I'm back to square one.  Has anyone figured out how to actually get the Forticlient web filter to actually block a website in 7.2.X?  No matter what method I try Simple, RegEx, or Wildcard, I can not block a website.

 

  • I have deep inspection enabled for the web filter plug-in
  • The plug-in is installed and active in the browser
  • If I make any changes to the web profile in EMS, they are being updated appropriately in FortiClient.

Sometimes the first time I visit a site that should be blocked, it appears to work and even gets logged in FortiClient as blocked, but then after a couple of seconds (or if I refresh the page) successfully opens the webpage.

 

How would you recommend blocking, for example access to the entire domain of, lets say cisco.com?  I simply can not get it to work reliably.

 

FortiNet_Newb

Just updated to FortiClient to 7.2.5 and was pleasantly surprised to find that all of my web filter issues are now resolved.  With the option "Wildcard Match Root Domain" enabled and in the Exclusion list setting Action: "Block", Type: "Simple", and URL as "whateverdomain.com" everything works perfectly now.  It's odd because the release notes disclose the following as a new known issue:

1054211Web Filter exclusion list Action > Block does not work as expected.

However, in my case it now works as expected for some reason, when it didn't in prior versions.  So glad that is now working.

mpandya
Staff
Staff
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors