Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kcerb
New Contributor III

Static URL Filter question

Hi,

should static entries have a higher priority than FortiGuard category based filter for both Block and Allow action?

I ask because I blocked Bandwidth Consuming category and then added a static URL rule *youtube.com with Allow action, but the youtube is still blocked.

The opposite works well: When Bandwidth Consuming is allowed and I add static *youtube.com with Block action, then only youtube is blocked and other sites like vimeo.com are not blocked.

FGT60B, FGT100A, FGT100D

5 REPLIES 5
emnoc
Esteemed Contributor III

Qeustions:

 

 

Do you have two policies for the category and  static URL?

 

Did you run diag debug flow to ensure your hitting the policyid  that your  expecting

 

Is SSL inspection enabled?

 

PCNSE 

NSE 

StrongSwan  

kcerb
New Contributor III

Hi emnoc,

For testing I created Web Filter profile, then policy with that profile. I placed this policy on top of other policies.

I can see in log it uses that policy:

 

 

Yes, the policy uses deep-inspection. It works the same way when I change to certificate-inspection. If in that Web Filter profile I change category to "allow" and edit static URL entry "*youtube.com" and change its action to "block", then it work as I expect: it blocks only youtube, not e.g. vimeo.

 

FGT60B, FGT100A, FGT100D

emnoc
Esteemed Contributor III

So what did the diag debug flow output show you?

 

PCNSE 

NSE 

StrongSwan  

kcerb
New Contributor III

Logs as attachment.

Hope these logs are accurate.

The policy ID which I use for testing is 211.

FGT60B, FGT100A, FGT100D

Yurisk
Valued Contributor

I know old thread - but in Google on URL static filter it came first, so worth having this answered.

 

Static URL filter has precedence over Category web filtering only in Block action. In Allow action the URL will still be handed over to the further checks including Category check. The only way to force 'allow' action via URL static filter is to use "Exempt" action which does prevent URL from being checked for category, BUT ... it also exempts this url from any other checks like AV/IPS so use with care. 

This is relevant for any FortiOS version and no signs of change.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.