- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Wrong categorization
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wrong categorization
I have web filter configured on my fortigate 80F to my AD users and for the las 3 months it have been working fine, since last month a profile where the Web Chat category is permited started blocking the whastapp web. The logs tells the block is because the webfilter is categorizing whatsapp web as Social Networking. The FortiGuard Web Filter Lookup categorizes it as Web Chat, I created a web rating overrides to solve the problem but why my fortigate is categorizing it like social networking?
Please, see the following raw log:
date=2023-03-21 time=15:30:54 id=7213068811073749046 itime=2023-03-21 15:30:54 euid=12697 epid=1206 dsteuid=3 dstepid=101 type=utm subtype=webfilter level=warning action=blocked sessionid=179721645 policyid=41 srcip=XXX.XX.XXX.XXX dstip=157.240.222.60 srcport=53029 dstport=443 proto=6 cat=37 logid=0316013056 service=HTTPS user=USERNAME group=FSSO_SPO_ProPlus eventtime=1679423454318969117 sentbyte=1239 rcvdbyte=3451 srcintfrole=lan dstintfrole=wan direction=outgoing ratemethod=ip reqtype=direct url=https://web.whatsapp.com/ hostname=web.whatsapp.com profile=SPO_ProPlus agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 catdesc=Social Networking eventtype=ftgd_blk srcintf=internal dstintf=wan1 authserver=FSSO_Sede msg=URL belongs to a denied category in policy tz=-0300 srcuuid=fa706ed8-e025-51eb-8560-a301a75a14c7 dstuuid=68e8adce-e00f-51eb-9b17-0ae1d29d7931 policytype=policy srccountry=Reserved dstcountry=Brazil poluuid=af1634f8-6a6d-51ed-6089-03b21c5ecf38 httpmethod=GET devid=XXXXXXXXXXXXXX vd=root dtime=2023-03-21 15:30:54 itime_t=1679423454 srcuuid_name=Sede_Netw dstuuid_name=all
The same problem happens to whatsapp app:
date=2023-04-17 time=11:04:22 id=7223019425664860162 itime=2023-04-17 11:04:22 euid=1374 epid=1120 dsteuid=3 dstepid=101 type=utm subtype=webfilter level=warning action=blocked sessionid=211324555 policyid=41 srcip=XXX.XX.XX.XXX dstip=157.240.222.60 srcport=58297 dstport=443 proto=6 cat=37 logid=0316013056 service=HTTPS user=USERNAME group=FSSO_SPO_ProPlus eventtime=1681740261632323397 sentbyte=1400 rcvdbyte=3451 srcintfrole=lan dstintfrole=wan direction=outgoing ratemethod=ip reqtype=referral url=https://pps.whatsapp.net/v/t61.24694-24/55963542_277213743227349_7903084543010144256_n.jpg?stp=dst-j... hostname=pps.whatsapp.net profile=SPO_ProPlus agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 catdesc=Social Networking eventtype=ftgd_blk srcintf=internal dstintf=wan1 referralurl=https://web.whatsapp.com/ authserver=FSSO_Sede msg=URL belongs to a denied category in policy tz=-0300 srcuuid=fa706ed8-e025-51eb-8560-a301a75a14c7 dstuuid=68e8adce-e00f-51eb-9b17-0ae1d29d7931 policytype=policy srccountry=Reserved dstcountry=Brazil poluuid=af1634f8-6a6d-51ed-6089-03b21c5ecf38 httpmethod=GET devid=XXXXXXXXXXXXXX vd=root dtime=2023-04-17 11:04:22 itime_t=1681740262 srcuuid_name=Sede_Netw dstuuid_name=all
Thiago Herculano
Solved! Go to Solution.
Thiago Herculano
Labels:
- Labels:
-
FortiWeb
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
> The logs tells the block is because the webfilter is categorizing whatsapp web as Social Networking. The FortiGuard Web Filter Lookup categorizes it as Web Chat
Per log file the interesting parts are
dstip=157.240.222.60
ratemethod=ip
hostname=web.whatsapp.com
While the FQDN web.whatsapp.com is rated as Category: Web Chat
the IP 157.240.222.60 is rated as Category: Social Networking
Because you have configured the rating method as IP the matched category is Social Networking.
In the webinterface the setting is "Rate URLs by domain and IP Address".
In the CLI it is called
config webfilter profile
edit "test"
...
config ftgd-wf
set options rate-server-ip <-----
> The same problem happens to whatsapp app:
Per log:
dstip=157.240.222.60
ratemethod=ip
hostname=pps.whatsapp.net
Same applies here.
The FQDN is rated as Category: Instant Messaging
While the IP is marked as Category: Not Rated.
---> To resolve this you could disable the feature to rate by IP address and only rely on the actual FQDN being accessed.
For the ratings check here https://www.fortiguard.com/webfilter.
Regards
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at Fortiguard website, web.whatsapp.com has never been officially categorized by FG as Social Networking. Look at the history.
https://www.fortiguard.com/webfilter
So this isn't a problem where you might have outdated web filter package from FG.
This is most likely a local configuration issue. Can you try creating a new Web Filter profile and a new FW Policy for testing and see what happens?
Also please review all of your overrides to make sure there is no conflicting config.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Graham, I just found out that: "The FortiGate does not download the Webfiltering database. The database is located in the cloud and your FortiGate sends live web category queries to the cloud."
Solved: How do I see what Web Filter database version we a... - Fortinet Community
Using the commands:
diagnose debug enable
diagnose debug authd fsso list
I can see the problematic user is under the right group and the right webfilter policy. The raw log indicates that is blocking under the right fw policy but for the wrong reason. As soon as possible I will make a new webfilter policy and a new fw policy to test.
Thanks!
Thiago Herculano
Thiago Herculano
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
> The logs tells the block is because the webfilter is categorizing whatsapp web as Social Networking. The FortiGuard Web Filter Lookup categorizes it as Web Chat
Per log file the interesting parts are
dstip=157.240.222.60
ratemethod=ip
hostname=web.whatsapp.com
While the FQDN web.whatsapp.com is rated as Category: Web Chat
the IP 157.240.222.60 is rated as Category: Social Networking
Because you have configured the rating method as IP the matched category is Social Networking.
In the webinterface the setting is "Rate URLs by domain and IP Address".
In the CLI it is called
config webfilter profile
edit "test"
...
config ftgd-wf
set options rate-server-ip <-----
> The same problem happens to whatsapp app:
Per log:
dstip=157.240.222.60
ratemethod=ip
hostname=pps.whatsapp.net
Same applies here.
The FQDN is rated as Category: Instant Messaging
While the IP is marked as Category: Not Rated.
---> To resolve this you could disable the feature to rate by IP address and only rely on the actual FQDN being accessed.
For the ratings check here https://www.fortiguard.com/webfilter.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear, you went just to the point! That is it! It is working properly now! Thank you very much!
Thiago Herculano
Thiago Herculano
Related Posts
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.