Hi,
Would recommend to used FortiOS v5.6.x firmware instead and see if the feature works? FortiOS v6.x image are the latest but many changes are still committed or new features will be added. As far as I know (don't have specific statistics data), majority of users are still in v5.4.x or v5.6.x. These firmwares are more stable as commits are important bug fixes only (rather than new features or code improvement changes). Also firmware releases are being done in phases to avoid issues. Webfilter profile inspection mode should be proxy as flow-based webfilter override (handled by IPS engine daemon) could be not working. Kindly open customer ticket to get the latest recommendation. Thanks.
Did it match the policy with the correct webfilter profile?
Policies are always exempt, i.e. once one policy matches the packet the rest will not be applied anymore.
Some flow debug will show you which policy got the packet.
diag debug enable
diag debug flow show console enable
diag debug flow filter clear|list|<filter>
diag debug trace start <numberofpacketstotrace>
Probably filter for the destination ip (not sure if you could us FQDN here, probably not because this is ip layer) and then try to ping or http access the site from your client and watch your cli.
Btw: if you want to identify the policy in gui you have to turn on the id column in the view first because the number shown by default is not the policy id and flow trace on cli shows the policy id.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.