Helpful ReplyHot!Web filter is not working properly in forti os 5.6?

Author
YASH1994
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/04 20:44:09
  • Status: offline
2018/06/04 21:00:06 (permalink) 5.6
0

Web filter is not working properly in forti os 5.6?

This is a newly configured Firewall. we try to enable the web filter in that. LAN pc's connect to the internet before enable the web filter. But after enable the web filter it's not connect to the internet. all configuration done correctly step by step.
1. Configure the LDAP server (Bind type - Reguler)
2. Configure the single sign on (Enable polling)
3. Configure the IPv4 policy
 
but after these steps LAN users can't access the internet. 
#1
François
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/17 05:12:30
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/06/05 00:18:24 (permalink)
0
I'm not expert of Fortigate but i had same trouble because my licence was down.
 
#2
YASH1994
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/04 20:44:09
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/06/05 01:51:55 (permalink)
0
In our side licence is ok. Thank you for the help.
post edited by YASH1994 - 2018/06/05 01:56:20
#3
andreotta
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/03 09:20:26
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/06/14 10:59:35 (permalink)
0
Hi,
Can FGT reach the Fortigaurdserver ? Can you try from FGT: #
exec ping service.fortiguard.net
 
Regards,
André Otta
#4
YASH1994
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/04 20:44:09
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/06/20 23:26:21 (permalink)
0
Thank you André Otta.
But we resolve the problem with the help of Fortigate support. 
#5
SecurityPlus
Gold Member
  • Total Posts : 229
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/09 22:10:40 (permalink)
0
What did FortiGate support recommend to solve this issue?
#6
razer8388
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/16 18:59:57
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/24 00:34:53 (permalink)
0
Sometime, arrange the policy location almost work for me :-)
#7
McEathron
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/31 09:37:18
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/24 08:45:04 (permalink)
0
Hello YASH1984,
 
The Web Filter blocks websites based upon categories. It doesn't block the entire internet, just pages that Fortinet has determined fall into specific categories, that you have chosen to block.
 
For this reason, I would think that your Web Filter is not the issue here. The difficulty reaching the internet is more likely found in the setup of your LDAP, SSO, or IPv4 Policy.
 
Those are the area's that I would focus my troubleshooting on.
#8
marco_d
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 04:29:47
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/24 14:53:30 (permalink)
0
I just updated our 240d cluster for 5.4.9 to 5.6.5 After the reboot the webfilter not worked more. There comes the message that no fortiguard server are avaible. I wait this night to see if there is some chage tomorrow. If not i will open a ticket. For the moment i disabled the webfilter what is not good but i not see any other option.
 
Regards
Marco
 
#9
SecurityPlus
Gold Member
  • Total Posts : 229
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/24 15:06:40 (permalink)
0
Do you have a green check by the Web Filter licenses on the Dashboard?
 
Can you: exec ping servicelfortiguard.net
#10
marco_d
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 04:29:47
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/25 02:12:31 (permalink)
0
Hello, SecurityPlus.
 
yes i have green checks in the Dashboard and Fortiguard. I logged in via cli to the box but was not able to send an ping.
 
FG-240D-1 # execute ping www.heise.de
7215: Unknown action 0
Command fail. Return code -1
 
When the uer try to  Access a Webpage with aktive filter in the policy than Comes an error message that says
 
"An error occurred while trying to rate the website using the webfiltering service. 
Web filter service error: all Fortiguard servers failed to respond "
 
 
Note: After i wrote this post. i called the Support. I had some Problems to understand the guy on the phone but when i understood correct he says that there was a Server issue at the Weekend and that i should call back on monday.....
post edited by marco_d - 2018/08/25 02:18:44
#11
SecurityPlus
Gold Member
  • Total Posts : 229
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/25 19:45:18 (permalink)
0
Interesting. Please let us know if this was the cause of the issue.
#12
marco_d
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 04:29:47
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/26 03:49:08 (permalink)
0
I am real confused about that error. Today i got that there is a timeout for do a website rating no server is answering. I wonder if its just cause i did the update at the weekend that my services need be registered again. If there is a general problem i would expect that more people complaining and that maybe some write here. I tested the default webfilter but there was no message sure cause there is all allowed. I also tried to create a complete new webfilter but that also not worked. I also not understand why its not possible to do execute commands in the cli. Maybe something went wrong during the update. But lets see what the support says on monday.
 
BR
Marco
#13
SecurityPlus
Gold Member
  • Total Posts : 229
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/27 21:30:26 (permalink)
0
Any update that you can provide?
#14
marco_d
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 04:29:47
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/28 02:22:42 (permalink)
0
SecurityPlus
Any update that you can provide?

Hello, yes the Problem is solved but not with help of fortigate Support at the Moment my ticket is escalated to the next Level. So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888. I opened this port in our Internet Firewall and immediately the connection to the fortigate servers was working. the box registered the services and web filter started working again.
 
I double checked the logging and it was really an automatic change that the box did after the update. Maybe I should have more early the idea to check this part but I was sure I not changed nothing so I expected all work like before.
 
BR
Marco
 
#15
tanr
Platinum Member
  • Total Posts : 639
  • Scores: 21
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/28 08:45:36 (permalink)
0
I noticed this as well when moving to 5.6.5.  It wasn't mentioned in the release notes, but it is mentioned in the "Ports and Protocols" document: https://docs.fortinet.com/uploaded/files/3606/fortinet-communication-ports-and-protocols-56.pdf as having changed in 5.6.3.
 
Just to confirm, it was another firewall that was blocking 8888, not the FortiGate itself?
#16
marco_d
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/18 04:29:47
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/29 03:07:12 (permalink)
0
Yes it was another firewall. We use the fortigate cluster as layer 2 firewall for Application Filter,Webfilter and IDP. The connect to the Fortigate Server is done with the MGMT Interface. This is connected to another firewall where we just allowed special ports that are needed.
 
BR
Marco
 
#17
eksjonathan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/29 06:24:47 (permalink)
0
marco_d
So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888. 
 

 
We also experienced this and reported it to Fortinet as a bug, which was acknowledged.  I requested it be included in the release notes as a warning to others but have not checked if the latest notes includes it.
 
In our case we changed the port back to 53 and Fortiguard could be contacted again.
 
Jonathan
post edited by eksjonathan - 2018/08/29 06:25:51
#18
tanr
Platinum Member
  • Total Posts : 639
  • Scores: 21
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/29 07:50:19 (permalink)
0
FYI, they never included it in the release notes.  Feel free to reopen your ticket!  ;)
#19
sw2090
Gold Member
  • Total Posts : 247
  • Scores: 8
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Web filter is not working properly in forti os 5.6? 2018/08/30 08:04:32 (permalink) ☄ Helpfulby tanr 2018/08/30 08:29:57
0
To be correct:
 
It does block the complete internet if it has no valid license or cannot reach the Fortiguard Servers to check.
 
Maybe you could use flow debug to see what your packets are doing on your fgt.
 
  diag debug enable
  diag debug flow filter <filter|list|?> (a "?" will have it show available filters , "list" will list the current filters)
  diag debug flow show console enable (you want to see something on cli do you *g*)
  diag debug flow trace start <numberofpackets> (stop will stop it again)
 
Mostly this gives you a clue what goes wrong with your packets...
#20
Jump to:
© 2018 APG vNext Commercial Version 5.5