Hot!Fortiguard Rating Error

Author
FortiAdam
Silver Member
  • Total Posts : 103
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/21 07:32:57
  • Status: offline
2014/09/19 15:13:17 (permalink)
0

Fortiguard Rating Error

I' m running a 100D on 5.0.7. Lately I had a machine that was able to make a connection out to a known botnet source because a rating error had occurred. This same IP had been rated as Malicious prior to the connection and even after the connection and was blocked. I considered using the option to block a site when a rating error occurs but looking through my logs I am finding that there are numerous rating errors and I don' t want to block legitimate traffic.

Does anyone have experience with Fortiguard rating errors? I have a good connection at this site and am not having any other issues with Fortiguard services that I am aware of.
#1

10 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1207
    • Scores: 112
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/19 16:22:20 (permalink)
    0
    A ratings error occurs if the Fortigate can not reach the FortiGuard service and/or the site is is not actually given a FortiGuard rating (though I think you' ll be getting an unknown rating error in that case).

    Keep in mind that the FortiGuard service works on mostly web traffic -- you will want to look into IPS/App control sensors to block botnet connections. See this thread for a good discussion on blocking botnet connections, at various UTM levels.
    post edited by Dave Hall - 2014/10/28 06:08:04

    FCNSA /FMG-VM64/FortiAnalyzer-VM/4.0 MR3P18 5.0.9 (FWF40C/FWF80CM/FGT200B/FGT200D) / FAP220B/221C
    #2
    FortiAdam
    Silver Member
    • Total Posts : 103
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/21 07:32:57
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/22 13:08:04 (permalink)
    0
    Hi Dave, thanks for the reply!

    I think there is a pretty significant difference between an unrated website and an actual rating error. The problem I' m dealing with here pertains to actual rating errors occurring. I' m seeing this on all different kinds of sites but not on a consistent basis.

    I appreciate the feedback on how to block botnet connections but at this point I' m not really looking to take this conversation into that subject. I' m really just concerned with Fortiguard categories and how I can avoid getting rating errors in the future.
    #3
    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/22 13:49:41 (permalink)
    0
    What is the output when you run ' diag debug rating' - are there any dropped packets in the last column?

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #4
    FortiAdam
    Silver Member
    • Total Posts : 103
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/21 07:32:57
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/23 06:17:56 (permalink)
    0
    Yes I have plenty of lost packets showing on almost every IP in the list. I' m going to try setting the webfilter-sdns-server-port to 8888 and see if that helps at all.
    #5
    Dave Hall
    Expert Member
    • Total Posts : 1207
    • Scores: 112
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/25 10:57:30 (permalink)
    0
    Just curious to know if you are receiving packet lost on connections going out the WAN port? Can you perform a " diag hardware deviceinfo nic <interface name>" and check for any errors reported? (Possible duplex mismatch.)

    FCNSA /FMG-VM64/FortiAnalyzer-VM/4.0 MR3P18 5.0.9 (FWF40C/FWF80CM/FGT200B/FGT200D) / FAP220B/221C
    #6
    ShrewLWD
    Gold Member
    • Total Posts : 147
    • Scores: 3
    • Reward points: 0
    • Joined: 2009/04/23 08:16:54
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/25 11:05:32 (permalink)
    0
    We get this pretty consistently when the ISP of one of our locations blocks or degrades DNS queries off-network, and our Fortigate is set to use Fortinet' s DNS servers.

    In your Fortiguard settings, do you have your webfilter option set to regular 53, or port 8888? We have found switching it to 8888 stops all of our ' Rating Error Occurs' .



    EDIT: Sorry, just saw your last post attempting to switch to 8888. I' m curious to see if that solves it for you.
    < Message edited by ShrewLWD -- 9/25/2014 11:06:56 AM >
    #7
    FortiAdam
    Silver Member
    • Total Posts : 103
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/21 07:32:57
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/25 11:30:33 (permalink)
    0
    Dave:
    No errors on the interface. I assume that would degrade service to the point where we would have noticed it but you never know.

    ShrewLWD:
    Thanks for the edit - I have been using 8888 for a few days now.

    Here' s my output of " diag debug rating" for today:

    -=- Server List (Thu Sep 25 13:26:07 2014) -=-

    IP Weight RTT Flags TZ Packets Curr Lost Total Lost
    69.195.205.101 10 44 -5 292603 0 922
    66.117.56.42 10 78 -5 88467 0 328
    64.26.151.36 10 93 -5 35453 0 104
    64.26.151.37 10 93 -5 35320 0 103
    209.222.147.43 10 57 -5 73235 0 276
    209.222.147.36 10 130 -5 83185 0 232
    64.26.151.35 10 91 -5 35765 0 101
    66.117.56.37 10 57 -5 89184 0 307
    69.195.205.102 10 45 -5 357885 0 6916
    96.45.33.65 20 71 -8 38471 0 92
    96.45.33.64 20 71 -8 36537 0 94
    208.91.112.200 20 111 -8 35421 0 222
    208.91.112.196 20 115 DI -8 36395 0 1079
    208.91.112.198 20 114 D -8 36807 0 1574
    80.85.69.40 60 148 0 35335 0 132
    80.85.69.41 60 148 0 35333 0 130
    80.85.69.37 60 148 0 35341 0 139
    80.85.69.38 60 148 0 35357 0 156
    62.209.40.72 70 163 1 35390 0 188
    62.209.40.73 70 163 1 35424 0 224
    62.209.40.74 70 164 1 35478 0 279
    121.111.236.179 150 197 9 35463 0 276
    121.111.236.180 150 195 9 35358 0 153
    69.195.205.103 45 44 F -5 39178 38994 38995
    #8
    FortiAdam
    Silver Member
    • Total Posts : 103
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/21 07:32:57
    • Status: offline
    RE: Fortiguard Rating Error 2014/09/25 12:21:32 (permalink)
    0
    Well a closer look at my logs showed that changing the port to 8888 for fortiguard lookups seems to have cleared up my issue afterall.

    Thanks for the suggestions everyone!
    #9
    DataPartnerInc
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/06/03 09:09:10
    • Location: Michigan
    • Status: offline
    Re: Fortiguard Rating Error 2014/10/25 11:25:43 (permalink)
    0
    It is may also be possible to use Security Profiles>Web Filter>Rating Overrides and set up a Custom Category to assign the sites you want to allow in spite of rating error or being "Unrated".
    #10
    sotir1984
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/21 09:05:56
    • Status: offline
    Re: Fortiguard Rating Error 2017/05/19 05:10:59 (permalink)
    0
    Is "rating error occurred" written anywhere in the logs
     
    Sotir
    #11
    Jump to:
    © 2017 APG vNext Commercial Version 5.5