Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Web Filter false positives?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Filter false positives?
FG100D, FortiOS 5.0.4, I think I' m getting lots of false positives from the Web Filter.
Under Security Profiles -> Web Filter -> Profiles, there is just the " default" profile.
In the default profile, I have selected only the " Security Risk" category (including its three subcategories to be blocked.
Screen shot: http://img96.imageshack.us/img96/3204/x76n.jpg
This default security profile category is referenced in the one Policy rule which allows outbound web browsing traffic (basically, packets arriving on the internal Ethernet port, destined to go out the Internet Ethernet port, coming from internal IP addresses, going to anywhere; any time; any service; Accept, and apply the default Web Filter profile; and log security events).
I' m getting several emails a day from the FortiGate saying things like:
Message meets Alert condition date=2013-09-30 time=11:12:48 devname=FG100D3G13807731 devid=FG100D3G13807731 logid=0315012544 type=webfilter subtype=urlfilter level=warning urlfilteridx=2 urlfilterlist=" default" policyid=25 identidx=0 sessionid=38633598 srcip=192.168.32.6 srcport=62925 srcintf=" internal2" dstip=50.18.249.41 dstport=443 dstintf=" ONO" service=" https" hostname=" 9gag.com" profile=" default" status=" blocked" reqtype=" direct" url=" /" sentbyte=0 rcvdbyte=0 msg=" URL was blocked because it is in the URL filter list" Message meets Alert condition date=2013-09-30 time=10:40:01 devname=FG100D3G13807731 devid=FG100D3G13807731 logid=0315012544 type=webfilter subtype=urlfilter level=warning urlfilteridx=2 urlfilterlist=" default" policyid=25 identidx=0 sessionid=38561211 srcip=192.168.32.6 srcport=61990 srcintf=" internal2" dstip=173.194.67.84 dstport=443 dstintf=" ONO" service=" https" hostname=" accounts.google.com" profile=" default" status=" blocked" reqtype=" direct" url=" /" sentbyte=0 rcvdbyte=0 msg=" URL was blocked because it is in the URL filter list"Link to log screenshot: http://img542.imageshack.us/img542/5675/7lde.jpg Stupid question #1: When this message talks about the " URL was blocked because it is in the URL filter list" , does that mean that the FortiGate thinks that this URL was in one of the FortiNet-supplied categories for which I enabled blocking? .. or am I being stupid, and this is saying something about my custom URL rules (all of which permit specific URL patterns, unless I' ve done them wrong - see first screen shot)? Stupid question #2: Could these be filter service connection failures which are getting blocked by default but reported as hits, and what I need to do is tick the box to " Allow Websites When a Rating Error Occurs" ? I' ve opened a support case with FortiNet Support about this, but have been waiting more than a week for them to come up with anything useful so far, and I am quite frustrated. I don' t actually see errors appearing to the user in browsing sessions; I don' t see website failures which I think are related to specific subparts of web pages being blocked; but these messages make me doubt that this technology will reliably and predictably serve my users. Your help is appreciated. thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What happens if you disable the URL filter in the webfilter profile?
" Allow Websites When a Rating Error Occurs" is for if the Fortigate happens to lose connectivity to the Fortiguard servers and can' t check the rating... If this is checked then all sites will be allowed instead of all sites blocked due to Rating Error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ticked the " Allow websites when a rating error occurs" box. The false positives continue. So that wasn' t it.
>What happens if you disable the URL filter in the webfilter profile?
I' m not sure what this is suggesting that I test.
I see:
Security Profile -> Web Filter -> Profiles, profile " default" .
In the " default" profile, " FortiGuard Categories" is selected; and within the inset box listing all of the FortiGuard Categories, just " Security Risk" and its three subcategories are marked with the action " Block" .
Under that in the next section, I have " Enable Wed Site Filter" ticked, and I' ve manually entered six FQDNs or wildcard strings, all set to " Monitor" (so, it shouldn' t block these; and these don' t encompass the great majority of the false positives I' m seeing in the logs anyway, so this doesn' t seem to be related to the problem).
So, I don' t see any place to disable the " URL filter" in the webfilter profile.
What, more exactly, is it that I should do to try this theory?
thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs indicate this is caused by the URL filter (now renamed to Web Site Filter) so the test would be to disable URL filtering (Uncheck " Enable Web Site Filter" )
If that' s the cause then try deleting all the entries the re-add them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Bromont. It' s very confusing how FortiNet changes the names of things but then leaves SOME of the user interface components, and parts of the documentation, listing these things under the old names...
Okay, In FortiOS v5.0.4, I' ve edited Security Profiles -> Web Filter -> Profiles, " default" profile, " Web Site Filter" to be Disabled. I' ll see if I get any more of those alert messages, and update us all here.
thanks,
-Jay
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just got this:
Message meets Alert condition
date=2013-09-30 time=17:56:36 devname=FG100D3G13807731 devid=FG100D3G13807731 logid=0315012544 type=webfilter subtype=urlfilter level=warning urlfilteridx=0 policyid=25 identidx=0 sessionid=39489840 osname=" Mac OS X" osversion=" 10.8.5" srcip=192.168.32.6 srcport=53236 srcintf=" internal2" dstip=192.243.254.49 dstport=443 dstintf=" ONO" service=" https" hostname=" *.d2.sc.omtrdc.net" profile=" default" status=" passthrough" reqtype=" direct" url=" /" sentbyte=0 rcvdbyte=0 msg=" URL was blocked because it is in the URL filter list"
" Enable Web Site Filter" is UN-checked. So it seems that it couldn' t be any URL pattern I' d entered in the Web Site Filter configuration of the Web Filter profile.
Except, when it' s a category block, don' t those appear as being in a restricted category, instead of saying something about " URL filter list" ??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting... the urlfiteridx is now 0 instead of 2 and the status is passthrough instead of blocked.How long since the unit was rebooted?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting... the urlfiteridx is now 0 instead of 2 and the status is passthrough instead of blocked.How long since the unit was rebooted?It' s been up for 39 days. Does FortiOS tend to accumulate garbage and errors in in-memory data structures, such that scheduled pro-active reboots are considered a good practice? I' ll reboot it and see if the apparent false positives continue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I rebooted. I haven' t seen more URL Filter hits. (There was one brief flurry of warnings of filtering service failures, but I imagine that was a race condition between the FG100D coming back up and starting to serve connections again, and the URL Filter service taking a few seconds longer to start up). Of course, I' ll only believe that the problem of the false positives on the Web Filter categories has gone away when it has stayed away for several days. If a reboot was needed, then I have other worries, about the (lack of) quality/reliability of FortiOS 5.
On the other hand, now I' m getting lots of warnings about log memory or disk being full. I reduced all logging in all of my Policies to log only on security events, and I did a delete-all of logs, and I' m still getting alerts of log memory or disk being full.
I' m really disappointed in this FG100D and FortiOS 5 (5.0.4 presently).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, h*ll. Of course I get the next email right after I made that last post:
Message meets Alert condition date=2013-10-01 time=11:12:51 devname=FG100D3G13807731 devid=FG100D3G13807731 logid=0315012544 type=webfilter subtype=urlfilter level=warning urlfilteridx=0 policyid=25 identidx=0 sessionid=164649 srcname=" roadrunner.local" osname=" Mac OS X" osversion=" 10.8.5" unauthuser=" ganguera" unauthusersource=" forticlient" srcip=192.168.32.6 srcport=49213 srcintf=" internal2" dstip=173.194.34.241 dstport=443 dstintf=" ONO" service=" https" hostname=" www.google.com" profile=" default" status=" passthrough" reqtype=" direct" url=" /" sentbyte=0 rcvdbyte=0 msg=" URL was blocked because it is in the URL filter list" Message meets Alert condition date=2013-10-01 time=11:12:50 devname=FG100D3G13807731 devid=FG100D3G13807731 logid=0315012544 type=webfilter subtype=urlfilter level=warning urlfilteridx=0 policyid=25 identidx=0 sessionid=164630 srcname=" roadrunner.local" osname=" Mac OS X" osversion=" 10.8.5" unauthuser=" ganguera" unauthusersource=" forticlient" srcip=192.168.32.6 srcport=49209 srcintf=" internal2" dstip=173.194.34.240 dstport=443 dstintf=" ONO" service=" https" hostname=" www.google.com" profile=" default" status=" passthrough" reqtype=" direct" url=" /" sentbyte=0 rcvdbyte=0 msg=" URL was blocked because it is in the URL filter list"Security Profiles -> Web Filter -> Profiles, " default" profile, " Enable Web Site Filter" remains UN-checked. Only the " Security Risk" FortiGuard Category remains checked, as before. IN THE GUI. At the CLI, " show webfilter urlfilter ?" shows just one filter, " 2" . showing filter 2 shows all of the entries I' d manually created (in the GUI) earlier, but none of which should be active (according to the GUI). Indeed, " show webfilter profile default" does NOT include a reference to urlfilter 2 (nor to any urlfilter), so these entries, which DO seem to be active, do not seem to be configured. Weird.
# show webfilter profile default
config webfilter profile
edit " default"
set comment " default web filtering"
set replacemsg-group " web-filter-default"
set inspection-mode flow-based
set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
set post-action comfort
config override
set ovrd-user-group " "
end
config ftgd-wf
set options error-allow
set category-override 140 141
config filters
edit 19
set category 4
next
edit 18
set action block
set category 26
set override-replacemsg " 26"
next
edit 20
set action block
set category 61
set override-replacemsg " 26"
next
edit 21
set action block
set category 86
set override-replacemsg " 26"
next
end
end
set log-all-url enable
next
end
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,717 -
FortiClient
1,766 -
5.2
801 -
FortiManager
730 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.