Hi We recently upgraded from 6.0.5 to 6.0.9 and then changed the Fortiguard protocol from UDP to HTTPS. Since then we are occasionally getting block messages 'An error occurred while trying to rate the website using the webfiltering service.
I've looked at the kb article https://kb.fortinet.com/k....do?externalID=FD33528 but am slightly confused about the sentence "This will allow users to access the web sites when a rating error occurs, and will allow the FortiGate unit to use the FortiGuard Web Filtering database that it has stored on the unit to rate the web site." Can I just confirm that it means when it can't reach fortiguard it will rate the website using the local db and will allow/block access accordingly. Just looking at the option on the FG "Allow websites when a rating error occurs" suggests that it is going to allow it whatever the rating is. Thanks for your time
Solved! Go to Solution.
When "Allow websites when a rating error occurs" is enabled it means:
Keep in mind that the "local DB" cache is only a cache of the ratings for recently visited websites. It is a very small list compared to the full FortiGuard database. With this setting enabled there is a very good chance that traffic will get through to sites that would otherwise be blocked, so enable it at your own risk.
The reason that "a rating error occurs" happens more often with HTTPS vs. UDP is that Fortinet doesn't seem to have the same capacity to handle HTTPS web ratings lookups compared to UDP. If you run "diag debug rating" when in UDP mode vs. HTTPS mode you'll see that there are far more servers available to respond to UDP ratings lookups vs. HTTPS.
Russ
NSE7
When "Allow websites when a rating error occurs" is enabled it means:
Keep in mind that the "local DB" cache is only a cache of the ratings for recently visited websites. It is a very small list compared to the full FortiGuard database. With this setting enabled there is a very good chance that traffic will get through to sites that would otherwise be blocked, so enable it at your own risk.
The reason that "a rating error occurs" happens more often with HTTPS vs. UDP is that Fortinet doesn't seem to have the same capacity to handle HTTPS web ratings lookups compared to UDP. If you run "diag debug rating" when in UDP mode vs. HTTPS mode you'll see that there are far more servers available to respond to UDP ratings lookups vs. HTTPS.
Russ
NSE7
Thanks Russ, that makes sense now.
So does everyone have to turn this on in general?
I've upgraded to 6.4.1 and have tried HTTPS and UDP 53/8888 and still get rating errors all the time.
Am in Australia.
@TecnetRuss..But how we can avoid this error ? What is the root cause behind it ? How to solve it permananetly.
I can't say for sure, but I suspect this is a capacity issue with the FortiGuard rating servers getting overloaded occasionally and the HTTPS protocol is more sensitive to delays compared to a fast, connectionless protocol like UDP. Also, the default FortiGuard setting is to use anycast, and I've found that with anycast enabled, these errors seem to happen more often.
In my experience, if you're seeing a lot of "a rating error occurs" messages in the logs, use the UDP protocol and disable anycast for your FortiGuard settings. This is all covered by this Fortinet Tech Tip:
Technical Tip: FortiGuard is not reachable via Any... - Fortinet Community
You're trading off security (encrypted HTTPS) vs. reliability (unencrypted UDP), but then again, if you have "allow websites when a rating error occurs" enabled, lack of reliability is a security issue. If you find that disabling anycast and/or enabling UDP resolves the ratings errors, ideally you would set "allow websites when a rating error occurs" back to disabled.
Russ
FCSS Network Security
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.