Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmelara
New Contributor

Web Rating Overrides not working properly after FortiOs Upgrade

Hi,

 

  Recently we have upgraded our 800C to FortiOs 5.4.1 but as soon as the unit reboots some web rating overrides urls stop working, so, in the GUI we can see them, but it doesn't work until we run in the CLI the "set rating" command. It has happened every time the unit reboots. Any suggestion about how to proceed ?

 

Regards.

1 Solution
jmcnutt
New Contributor II

I have had this same problem on my 1500D.  Support sent me an emergency firmware to help address the issue.  It took over five phone calls with support and over two weeks.  Plan on waiting two days for each phone call and a ton of logging to have the problem confirmed.

 

James

View solution in original post

9 REPLIES 9
jmcnutt
New Contributor II

I have had this same problem on my 1500D.  Support sent me an emergency firmware to help address the issue.  It took over five phone calls with support and over two weeks.  Plan on waiting two days for each phone call and a ton of logging to have the problem confirmed.

 

James

bcallan
New Contributor II

I have a customer experiencing this issue after update from 5.2.7 to 5.4.1 (one step, as indicated in supported upgrade paths document).  Rating override to custom category with a web filter profile action of "Allow" does not correctly categorize traffic and blocks based on the action associated with the original Fortiguard category for the affected URLs.  I haven't gotten through to support yet, but I found that changing the action for the custom category from Allow to Monitor allows traffic to pass.  Fortiview shows the correct category name and action is listed as "passthrough" instead of "block".  Switching action back to "Allow" causes the problem to reappear.  I tried the workaround listed above (manually reset the rating in CLI), but this did not appear to work.

Jeremiah_Jackson

I can verify that we are having the same problem.  If you need to get something working for sure.  Use the URL Filter and set it to exempt instead of Web Rating Override.

tof

Same issue here with a 60D on 5.4.1. It works as far as the unit is not reboot. After reboot we have to change category or make any other action in web ration override to have it working again.

chrisn
New Contributor

Same here with our 50E & 60E. Web rating overrides stop working, but if I edit an overridden website, all of the overrides start working again.

NeilG

I am having this occur at two small customers - one was an upgrade from 5.2.7->5.4.1 and another is a clean install of 5.4.1.

 

Both are 60D models

Both have experienced inconsistant Fortiguard webfilter category override on reboot. Also using static URL filtering doesn't do expected things either (sometimes even excempt doesn't seem to process).

 

For those of who who have received an emergency patch - can you provide a reference number that we can point our support person too in trying to speed things up? Thanks!

-Neil

jmcnutt
New Contributor II

Hi Neil.  Good luck getting Fortinet to move faster than they want to.  It seems unless you are a Fortune 500 company, they just do not care how long it takes to resolve your issue.  I wait two and three days to get a one or two line response from support.  It you ask for a phone call, plan to wait two more days.

 

My ticket number was 1813256.  We ultimately rolled back to 4.2.  However we are still having serious issues that Fortinet does not seem to be concerned with.  We will see what takes longer:  Replacing Fortinet with a different vendor or Fortinet resolving my issues.  Right now I bet I have new hardware before support will get my issues resolved.  It's a shame we spend a ton of money for the hardware and support and an "industry leader" treats customers this way.

 

So far very dissatisfied with Fortinet.

 

James

Chris_Carson

Confirmed!

 

I found this bug replacing a 90D(5.2.9) with a 90E(5.4.2).

 

A quick modification of:

 

config webfilter ftgd-local-rating      edit "YourFavoriteSite.com"         set rating 140     next end

 

Fixes it..... until you reboot!

 

I've opened a ticket and I'll let you know what they say.

 

Thanks,

Chris

NeilG

Chris,

 

I have an AT&T flexlink.ip install happening at one of the problem customer sites early Jan. Once that is in place I will test if upgrading from 5.4.1 to 5.4.2 fixes issue deep inspection based category overrides not all working on reboot.

 

Note: there seems to be a known issue with 5.4.2 for certificate_inspection + web filter overrides "394515 URL exempt/allow does not work as expected when certificate-inspection is used." is listed in known issues for 5.4.2.

 

So are you on 5.4.2 with deep inspection or certificate inspection?

 

James, thank you for sharing your ticket number - I have to re-create my ticket since I didn't respond in a timely fashion - so I will update this thread in the 1st week of Jan.

 

-Neil

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors