Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
YASH1994
New Contributor

Web filter is not working properly in forti os 5.6?

This is a newly configured Firewall. we try to enable the web filter in that. LAN pc's connect to the internet before enable the web filter. But after enable the web filter it's not connect to the internet. all configuration done correctly step by step.

1. Configure the LDAP server (Bind type - Reguler)

2. Configure the single sign on (Enable polling)

3. Configure the IPv4 policy

 

but after these steps LAN users can't access the internet. 

1 Solution
sw2090

To be correct:

 

It does block the complete internet if it has no valid license or cannot reach the Fortiguard Servers to check.

 

Maybe you could use flow debug to see what your packets are doing on your fgt.

 

  diag debug enable

  diag debug flow filter <filter|list|?> (a "?" will have it show available filters , "list" will list the current filters)

  diag debug flow show console enable (you want to see something on cli do you *g*)

  diag debug flow trace start <numberofpackets> (stop will stop it again)

 

Mostly this gives you a clue what goes wrong with your packets...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
19 REPLIES 19
marco_d

Hello, SecurityPlus.

 

yes i have green checks in the Dashboard and Fortiguard. I logged in via cli to the box but was not able to send an ping.

 

FG-240D-1 # execute ping www.heise.de 7215: Unknown action 0 Command fail. Return code -1

 

When the uer try to  Access a Webpage with aktive filter in the policy than Comes an error message that says

 

"An error occurred while trying to rate the website using the webfiltering service.  Web filter service error: all Fortiguard servers failed to respond "

 

 

Note: After i wrote this post. i called the Support. I had some Problems to understand the guy on the phone but when i understood correct he says that there was a Server issue at the Weekend and that i should call back on monday.....

SecurityPlus

Interesting. Please let us know if this was the cause of the issue.

marco_d

I am real confused about that error. Today i got that there is a timeout for do a website rating no server is answering. I wonder if its just cause i did the update at the weekend that my services need be registered again. If there is a general problem i would expect that more people complaining and that maybe some write here. I tested the default webfilter but there was no message sure cause there is all allowed. I also tried to create a complete new webfilter but that also not worked. I also not understand why its not possible to do execute commands in the cli. Maybe something went wrong during the update. But lets see what the support says on monday.

 

BR

Marco

SecurityPlus

Any update that you can provide?
marco_d

SecurityPlus wrote:
Any update that you can provide?
Hello, yes the Problem is solved but not with help of fortigate Support at the Moment my ticket is escalated to the next Level. So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888. I opened this port in our Internet Firewall and immediately the connection to the fortigate servers was working. the box registered the services and web filter started working again.

 

I double checked the logging and it was really an automatic change that the box did after the update. Maybe I should have more early the idea to check this part but I was sure I not changed nothing so I expected all work like before.

 

BR

Marco

 

tanr
Valued Contributor II

I noticed this as well when moving to 5.6.5.  It wasn't mentioned in the release notes, but it is mentioned in the "Ports and Protocols" document: https://docs.fortinet.com/uploaded/files/3606/fortinet-communication-ports-and-protocols-56.pdf as having changed in 5.6.3.

 

Just to confirm, it was another firewall that was blocking 8888, not the FortiGate itself?

marco_d
New Contributor

Yes it was another firewall. We use the fortigate cluster as layer 2 firewall for Application Filter,Webfilter and IDP. The connect to the Fortigate Server is done with the MGMT Interface. This is connected to another firewall where we just allowed special ports that are needed.

 

BR

Marco

 

eksjonathan

marco_d wrote:

So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888. 

 

 

We also experienced this and reported it to Fortinet as a bug, which was acknowledged.  I requested it be included in the release notes as a warning to others but have not checked if the latest notes includes it.

 

In our case we changed the port back to 53 and Fortiguard could be contacted again.

 

Jonathan

tanr
Valued Contributor II

FYI, they never included it in the release notes.  Feel free to reopen your ticket!  ;)

sw2090

To be correct:

 

It does block the complete internet if it has no valid license or cannot reach the Fortiguard Servers to check.

 

Maybe you could use flow debug to see what your packets are doing on your fgt.

 

  diag debug enable

  diag debug flow filter <filter|list|?> (a "?" will have it show available filters , "list" will list the current filters)

  diag debug flow show console enable (you want to see something on cli do you *g*)

  diag debug flow trace start <numberofpackets> (stop will stop it again)

 

Mostly this gives you a clue what goes wrong with your packets...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors