(webfilter) What' s the difference between " passthrough" and " allowed" ?

Jay_Libove · ‎10-30-2013

FortiOS 5.0.4. I notice that webfilter entries for traffic which is not blocked by the webfilter shows up in the logs as " passthrough" . e.g.:

 Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 
 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root"  
 policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local"  
 osname=" Mac OS X"  osversion=" 10.8.5"  unauthuser=" bj"  unauthusersource=" forticlient"  
 srcip=192.168.32.8 srcport=60038 srcintf=" internal2"  dstip=107.20.232.119 dstport=80 
 dstintf=" ISP-Colt"  service=" http"  hostname=" nagios.foo.net"  profiletype=" Webfilter_Profile"  
 profile=" default"  status=" passthrough"  reqtype=" referral" 
 url=" /nagios3/images/comment.gif"  sentbyte=633 rcvdbyte=187 
 msg=" URL has been visited"  method=domain class=0 cat=255

I re-checked just now, in the FortiOS GUI, all of the FortiGuard Categories (except for a very few which are " Block" ) are set to " Allow" . So why do I see " passthrough" instead of " allowed" in the logs? What would cause an " allowed" status to appear in the log? thanks,

rwpatterson · ‎10-30-2013

No difference. The other result would be " blocked" .

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Jay_Libove · ‎10-30-2013

Hi Bob, Thanks. So, am I silly to ask, if there' s no difference, then why are there both the " allowed" and " passthrough" status codes? :-}

rwpatterson · ‎10-30-2013

Can' t answer that one....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

billp · ‎10-30-2013

I am going to take a wild guess here. There is a consistency issue with the terms used. In the logs, " passthrough" means that the traffic was " allow" ' ed in the firewall. I just checked my logs for the last 2 days and I don' t have a single " status=allowed" there. It only shows up as " passthrough" and I am guessing you will never see a status=allowed in the logs. It' s probably just a legacy naming system carried over from the earliest Fortigate models. Not a huge leap here, but it would probably take a higher-level tech to verify this, who would perhaps consult an old-timer who remembers how they came up with the names :)

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

vanc · ‎10-31-2013

I believe passthrough is used universally in traffic log. I didn' t see any " allowed" log entries.

AtiT · ‎11-11-2013

Hi, I think the passthrough is OK. If you set a Block action you will see in the logs: blocked When you set the Allow action, there will be nothing in the webfilter log, nothing is logged. When you set the Monitor action, you will see the passthrough. When you set the Warning action, you will see firstly the blocked and if you click on the web page to continue to the site you will see another passthrough. So it means only whether the traffic was blocked or passed. It is not reflecting the profile settings. another: If you have WF and application control enabled and you disable the webfilter you will see another passthrough but the security event will be apl-ctrl for application control. So it only means whether the traffic is OK for the UTM function or it is blocked.

AtiT

Bromont_FTNT · ‎11-11-2013

If you log allowed traffic then you' ll see " passthrough" in the logs for allowed traffic

praneeth92 · ‎07-25-2023

Hi Jay,

Can you please share the commands you use to observe this.

Did you find the difference of passthrough and allowed?

(webfilter) What' s the difference between " passthrough" and " allowed" ?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website