Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dmmillr1
New Contributor

web filtering times out all connections

I am testing moving off a software proxy and trying to setup flowbased on a fortigate 60c right now I have some basic content filters turned on(that I already run on traffic and works fine) on the test profile I added a single block url to the test web url filter and applied that to the test web filter profile create a rule for my test host as source, internal interface, destination is wan1 /any service is http action accept, web filter checked and test profle selected I get timeouts on EVERYTHING with it enabled from the test host. not sure why?
8 REPLIES 8
dmmillr1
New Contributor

oh yeah Firmware Version v4.0,build0535,120511 (MR3 Patch 7)
pcraponi
Contributor II

Move to the last MR3 version (patch14) and try again

Regards, Paulo Raponi

Regards, Paulo Raponi
Dave_Hall
Honored Contributor

service is http action accept, web filter checked and test profle selected I get timeouts on EVERYTHING with it enabled from the test host.
I assume you have enabled NAT on that fw policy? If FortiGuard Categories is enabled in the web filter profile If so I assume your fgt has a valid FortiGuard subscription? Can you confirm the correct URL filter list is assigned to the web filter profile? How did you craft the actual URL entry (as a wildcard or regex)? Do you have an app sensor enabled on that fw policy? If so check to see the site is not being blocked by it.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
dmmillr1

ORIGINAL: pcraponi Move to the last MR3 version (patch14) and try again
um....no? unless its a known bug for the version I am on that doesnt make sense. if its a known issue I' m happy to move to a newer patch though
ORIGINAL: Dave Hall I assume you have enabled NAT on that fw policy? If FortiGuard Categories is enabled in the web filter profile If so I assume your fgt has a valid FortiGuard subscription? Can you confirm the correct URL filter list is assigned to the web filter profile? How did you craft the actual URL entry (as a wildcard or regex)? Do you have an app sensor enabled on that fw policy? If so check to see the site is not being blocked by it.
I' ll double check that I remember to check the box for NAT fortiguard is up to date, I checked the URL filter numerous times, its set as a simple block to the website with the domain name and then .com no app sensor enabled
rwpatterson
Valued Contributor III

ORIGINAL: dmmillr1
ORIGINAL: pcraponi Move to the last MR3 version (patch14) and try again
um....no? unless its a known bug for the version I am on that doesnt make sense. if its a known issue I' m happy to move to a newer patch though
The onus is on you to determine if a newer patch has resolved your issue. We' re not going to do your homework. (at least I' m not!)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dave_Hall
Honored Contributor

ORIGINAL: dmmillr1 I' ll double check that I remember to check the box for NAT fortiguard is up to date, I checked the URL filter numerous times, its set as a simple block to the website with the domain name and then .com no app sensor enabled
Instead of describing the problem, actual script code and/or a screenshot would be better. (You also did not indicate if the correct URL filter list is tied to the web filter profile assigned to the test computer.) Off the top of my head I would say check the submask on the fw object for your test computer -- it should be /32. If you have utm logging enabled it should indicate why the test computer was blocked. Again, script code and/or screenshot would help (san any identifying outside IP addresses).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
dmmillr1

ORIGINAL: rwpatterson The onus is on you to determine if a newer patch has resolved your issue. We' re not going to do your homework. (at least I' m not!)
sorry wasn' t inferring you needed to. I haven' t had time to get into the release notes, as this is for a part time consulting gig(previous FT employer) and I need to get the main support password I just don' t think that blindly code upgrading or rebooting a box to try and fix a problem is the first thing to try :)
ORIGINAL: Dave Hall Instead of describing the problem, actual script code and/or a screenshot would be better. (You also did not indicate if the correct URL filter list is tied to the web filter profile assigned to the test computer.) Off the top of my head I would say check the submask on the fw object for your test computer -- it should be /32. If you have utm logging enabled it should indicate why the test computer was blocked. Again, script code and/or screenshot would help (san any identifying outside IP addresses).
Ill get a screen up for ya, I did check and the correct URL filter is applied, but I can get screens of all of it I will post the logs as well, not digging into them was a silly mistake, but in my defense aka excuse....my 5 month old stopped sleeping at night this week and I' m getting pretty tired :p
dmmillr1
New Contributor

nat issue the great thing about making a forum post and taking a day off is having to go back with fresh eyes to answer your questions thanks for being the OTHER guy in the office guys
Labels
Top Kudoed Authors