Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Website blocked by webfilter even though exempted from DPI

I just ran into this:

 

I have a FQDN that used to be rated as "newly observed domain". I create a rating override to a custom cathegory and added that cathegory to the list of reputable sites in the DPI profile.  The Site then worked (before that it got blocked by either IPS or APC and those have no whitelist).

Now it seems that Fortinet have removed the rating as it is now shown as "unrated". The cathegory unrated in webfilter profile is set to "warning". The Site still has the rating override from above.

In the support docs fortinet writes that if you exempt a site from DPI then no further UTM is processed on it after certificate inspection. In opposition to this I do get a webfilter blocking page stating the site is rated "unrated".

As far as I understood the webfilter should not even apply when a site is exempted in DPI.

What is wrong here? 

 

We're on 7.2.11 on the Fortigates btw.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5 REPLIES 5
AEK
SuperUser
SuperUser

Hi Sw2090

As per "my" understanding, exempting from DPI exempts it just from traffic decryption, not from basic web filtering that follows certificate inspection.

Can you share the support doc that you are referring to?

AEK
AEK
sw2090
SuperUser
SuperUser

Hi AEK,

 

e.g. this one: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-SSL-Exemptions-affects-web-filtering-b...

 

this states that when you exempt a website it will be - as it is considered trusted - exempted from all subsequent UTM. 

So webfilter should not hit it but in fact does. 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
AEK

Thanks for sharing. That's new for me.

 

Note:

  • In flow-based inspection mode, destinations that are 'Exempt from SSL Inspection' within SSL Inspection profile are also exempt from subsequent UTM inspection ...
  • In proxy-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are exempt from SSL deep inspection, but subsequent UTM inspection applies ...
AEK
AEK
sw2090
SuperUser
SuperUser

btw even if it does hit the webfilter it should be exempted by a rating override but is not. Its still blocked as "unrated" even though there is a local rating override that rates it into a local cathegory that is allowed in webfilter (action set to monitor for logging).

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
nokelbo1
New Contributor

Okay. I get my internet through the office of the building I live in. I never interacted with an ISP. I simply paid a fee, bought my own router (a Netgear), plugged the ethernet cable into the port on my wall, and boom, I had internet.

https://19216811.cam/ https://1921681001.id/
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors