Fortinet white logo
Fortinet white logo

Cookbook

The Web Filter menu is missing

Web and DNS filter troubleshooting

This section contains tips to help you with some common challenges of FortiGate web and DNS filtering.

The Web Filter menu is missing

Go to Feature Select/Feature Visibility and enable Web Filter.

You cannot create new web filter profiles

Go to Feature Select/Feature Visibility and enable Multiple Security Profiles.

You configured web filtering, but it is not working

Verify that Web Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS). If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If all this is correct, verify that proxy options and HTTP and HTTPS enabled and use the correct ports.

You configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy. If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If all this is correct, verify that DNS requests are going through the policy, rather than to an internal DNS server.

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.

The website categorization on your FortiGate does not match the FortiGuard categorization

Verify that you entered the entire URL of the website, not just the domain name. Also verify that you have not used a web rating override to change the local website categorization.

If the categorizations still do not match, verify whether your web filter profile has the option to Rate URLs by domain and IP Address enabled. If this option is enabled, the categorization could be different if the IP address that the URL resolves to has a different rating than the URL itself.

An active FortiGuard web filter license displays as expired/unreachable

If this occurs, verify that web filtering is enabled in one of your security policies. FortiGuard services will sometimes show as expired those services are not actively used.

If web filtering is enabled in a policy, go to your FortiGuard settings. In the options for web filtering, change the FortiGuard port from 53 (default) to 8888. Verify whether the license is shown as active. If it is still inactive/expired, switch back to the default port and verify again.

Go to the DNS settings to verify that your FortiGate is pointing to appropriate DNS servers and can resolve and reach FortiGuard at service.fortiguard.net. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

  • Weight: Based on the difference in time zone between the FortiGate and this server
  • RTT: Return trip time
  • Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
  • TZ: Server time zone
  • Curr Lost: Current number of consecutive lost packets
  • Total Lost: Total number of lost packets

Using URL Filters in conjunction with FortiGuard Categories is not working

Web filtering inspection is applied in the following order:

  1. URL filters
  2. FortiGuard category filtering
  3. Advanced filters (ex. safe search or removing Active X components)

Because of this order, a URL can trigger two matches: first, for a URL filter with Action set to Allow, and the a second for a blocked FortiGuard Category. This results in the website being blocked. To avoid this, set Action to Exempt to bypass further web filter inspection of that URL.

You can control which scans that you wish to exempt the URL from in the CLI:

config webfilter urlfilter
    edit <id>
        config entries
            edit <id>
                set exempt {av | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all}
            next
        end
    next
end

The Web Filter menu is missing

Web and DNS filter troubleshooting

This section contains tips to help you with some common challenges of FortiGate web and DNS filtering.

The Web Filter menu is missing

Go to Feature Select/Feature Visibility and enable Web Filter.

You cannot create new web filter profiles

Go to Feature Select/Feature Visibility and enable Multiple Security Profiles.

You configured web filtering, but it is not working

Verify that Web Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS). If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If all this is correct, verify that proxy options and HTTP and HTTPS enabled and use the correct ports.

You configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy. If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If all this is correct, verify that DNS requests are going through the policy, rather than to an internal DNS server.

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.

The website categorization on your FortiGate does not match the FortiGuard categorization

Verify that you entered the entire URL of the website, not just the domain name. Also verify that you have not used a web rating override to change the local website categorization.

If the categorizations still do not match, verify whether your web filter profile has the option to Rate URLs by domain and IP Address enabled. If this option is enabled, the categorization could be different if the IP address that the URL resolves to has a different rating than the URL itself.

An active FortiGuard web filter license displays as expired/unreachable

If this occurs, verify that web filtering is enabled in one of your security policies. FortiGuard services will sometimes show as expired those services are not actively used.

If web filtering is enabled in a policy, go to your FortiGuard settings. In the options for web filtering, change the FortiGuard port from 53 (default) to 8888. Verify whether the license is shown as active. If it is still inactive/expired, switch back to the default port and verify again.

Go to the DNS settings to verify that your FortiGate is pointing to appropriate DNS servers and can resolve and reach FortiGuard at service.fortiguard.net. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

  • Weight: Based on the difference in time zone between the FortiGate and this server
  • RTT: Return trip time
  • Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
  • TZ: Server time zone
  • Curr Lost: Current number of consecutive lost packets
  • Total Lost: Total number of lost packets

Using URL Filters in conjunction with FortiGuard Categories is not working

Web filtering inspection is applied in the following order:

  1. URL filters
  2. FortiGuard category filtering
  3. Advanced filters (ex. safe search or removing Active X components)

Because of this order, a URL can trigger two matches: first, for a URL filter with Action set to Allow, and the a second for a blocked FortiGuard Category. This results in the website being blocked. To avoid this, set Action to Exempt to bypass further web filter inspection of that URL.

You can control which scans that you wish to exempt the URL from in the CLI:

config webfilter urlfilter
    edit <id>
        config entries
            edit <id>
                set exempt {av | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all}
            next
        end
    next
end