Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Poseidonn
New Contributor

Web filter override

Hi,   I´m tryng to make a web filter override to storage.live.com url.   I create a custom category, I associated the url, and in the web filter profile I allow the custom category.   But unfortunately when the client go to storage.live.com and he is is blocked    The message in log Category Description File Sharing and Storage Message URL belongs to a denied category in policy   The firmware is FortiOS v6.0.2 build0163 System Operation Settings Flow-based NGFW Mode Profile-based   What is my problem to override not working.   Regards  

 

2 REPLIES 2
darwin_FTNT
Staff
Staff

Hi,

 

Would recommend to used FortiOS v5.6.x firmware instead and see if the feature works?  FortiOS v6.x image are the latest but many changes are still committed or new features will be added.  As far as I know (don't have specific statistics data), majority of users are still in v5.4.x or v5.6.x.  These firmwares are more stable as commits are important bug fixes only (rather than new features or code improvement changes).  Also firmware releases are being done in phases to avoid issues.  Webfilter profile inspection mode should be proxy as flow-based webfilter override (handled by IPS engine daemon) could be not working. Kindly open customer ticket to get the latest recommendation.  Thanks.

sw2090
Honored Contributor

Did it match the policy with the correct webfilter profile?

Policies are always exempt, i.e. once one policy matches the packet the rest will not be applied anymore.

Some flow debug will show you which policy got the packet.

 

diag debug enable

diag debug flow show console enable

diag debug flow filter  clear|list|<filter>

diag debug trace start <numberofpacketstotrace>

 

Probably filter for the destination ip (not sure if you could us FQDN here, probably not because this is ip layer) and then try to ping or http access the site from your client and watch your cli. 

Btw: if you want to identify the policy in gui you have to turn on the id column in the view first because the number shown by default is not the policy id and flow trace on cli shows the policy id.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors