I just ran into this:
I have a FQDN that used to be rated as "newly observed domain". I create a rating override to a custom cathegory and added that cathegory to the list of reputable sites in the DPI profile. The Site then worked (before that it got blocked by either IPS or APC and those have no whitelist).
Now it seems that Fortinet have removed the rating as it is now shown as "unrated". The cathegory unrated in webfilter profile is set to "warning". The Site still has the rating override from above.
In the support docs fortinet writes that if you exempt a site from DPI then no further UTM is processed on it after certificate inspection. In opposition to this I do get a webfilter blocking page stating the site is rated "unrated".
As far as I understood the webfilter should not even apply when a site is exempted in DPI.
What is wrong here?
We're on 7.2.11 on the Fortigates btw.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi Sw2090
As per "my" understanding, exempting from DPI exempts it just from traffic decryption, not from basic web filtering that follows certificate inspection.
Can you share the support doc that you are referring to?
Hi AEK,
e.g. this one: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-SSL-Exemptions-affects-web-filtering-b...
this states that when you exempt a website it will be - as it is considered trusted - exempted from all subsequent UTM.
So webfilter should not hit it but in fact does.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for sharing. That's new for me.
Note:
btw even if it does hit the webfilter it should be exempted by a rating override but is not. Its still blocked as "unrated" even though there is a local rating override that rates it into a local cathegory that is allowed in webfilter (action set to monitor for logging).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Okay. I get my internet through the office of the building I live in. I never interacted with an ISP. I simply paid a fee, bought my own router (a Netgear), plugged the ethernet cable into the port on my wall, and boom, I had internet.
User | Count |
---|---|
2598 | |
1382 | |
801 | |
663 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.