Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

(webfilter) What' s the difference between " passthrough" and " allowed" ?

FortiOS 5.0.4. I notice that webfilter entries for traffic which is not blocked by the webfilter shows up in the logs as " passthrough" . e.g.:
 Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 
 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root"  
 policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local"  
 osname=" Mac OS X"  osversion=" 10.8.5"  unauthuser=" bj"  unauthusersource=" forticlient"  
 srcip=192.168.32.8 srcport=60038 srcintf=" internal2"  dstip=107.20.232.119 dstport=80 
 dstintf=" ISP-Colt"  service=" http"  hostname=" nagios.foo.net"  profiletype=" Webfilter_Profile"  
 profile=" default"  status=" passthrough"  reqtype=" referral" 
 url=" /nagios3/images/comment.gif"  sentbyte=633 rcvdbyte=187 
 msg=" URL has been visited"  method=domain class=0 cat=255
 
I re-checked just now, in the FortiOS GUI, all of the FortiGuard Categories (except for a very few which are " Block" ) are set to " Allow" . So why do I see " passthrough" instead of " allowed" in the logs? What would cause an " allowed" status to appear in the log? thanks,
8 REPLIES 8
rwpatterson
Valued Contributor III

No difference. The other result would be " blocked" .

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Jay_Libove
Contributor

Hi Bob, Thanks. So, am I silly to ask, if there' s no difference, then why are there both the " allowed" and " passthrough" status codes? :-}
rwpatterson
Valued Contributor III

Can' t answer that one....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
billp
Contributor

I am going to take a wild guess here. There is a consistency issue with the terms used. In the logs, " passthrough" means that the traffic was " allow" ' ed in the firewall. I just checked my logs for the last 2 days and I don' t have a single " status=allowed" there. It only shows up as " passthrough" and I am guessing you will never see a status=allowed in the logs. It' s probably just a legacy naming system carried over from the earliest Fortigate models. Not a huge leap here, but it would probably take a higher-level tech to verify this, who would perhaps consult an old-timer who remembers how they came up with the names :)

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
vanc
New Contributor

I believe passthrough is used universally in traffic log. I didn' t see any " allowed" log entries.
AtiT
Valued Contributor

Hi, I think the passthrough is OK. If you set a Block action you will see in the logs: blocked When you set the Allow action, there will be nothing in the webfilter log, nothing is logged. When you set the Monitor action, you will see the passthrough. When you set the Warning action, you will see firstly the blocked and if you click on the web page to continue to the site you will see another passthrough. So it means only whether the traffic was blocked or passed. It is not reflecting the profile settings. another: If you have WF and application control enabled and you disable the webfilter you will see another passthrough but the security event will be apl-ctrl for application control. So it only means whether the traffic is OK for the UTM function or it is blocked.

AtiT

AtiT
Bromont_FTNT
Staff
Staff

If you log allowed traffic then you' ll see " passthrough" in the logs for allowed traffic
praneeth92
New Contributor

Hi Jay,

Can you please share the commands you use to observe this.

Did you find the difference of  passthrough and allowed?

Labels
Top Kudoed Authors