Hot!Web filter override

New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/25 11:09:31
  • Status: offline
2018/09/25 11:19:05 (permalink)

Web filter override

I´m tryng to make a web filter override to url.
I create a custom category, I associated the url, and in the web filter profile I allow the custom category.
But unfortunately when the client go to and he is is blocked 
The message in log
Category Description File Sharing and Storage
Message URL belongs to a denied category in policy
The firmware is FortiOS v6.0.2 build0163
System Operation Settings Flow-based
NGFW Mode Profile-based
What is my problem to override not working.


post edited by Admin_FTNT - 2018/09/25 12:07:26
Bronze Member
  • Total Posts : 39
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/04/24 18:12:28
  • Status: offline
Re: Web filter override 2018/09/25 14:53:29 (permalink)
Would recommend to used FortiOS v5.6.x firmware instead and see if the feature works?  FortiOS v6.x image are the latest but many changes are still committed or new features will be added.  As far as I know (don't have specific statistics data), majority of users are still in v5.4.x or v5.6.x.  These firmwares are more stable as commits are important bug fixes only (rather than new features or code improvement changes).  Also firmware releases are being done in phases to avoid issues.  Webfilter profile inspection mode should be proxy as flow-based webfilter override (handled by IPS engine daemon) could be not working. Kindly open customer ticket to get the latest recommendation.  Thanks.
Gold Member
  • Total Posts : 257
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Web filter override 2018/09/26 23:18:17 (permalink)
Did it match the policy with the correct webfilter profile?
Policies are always exempt, i.e. once one policy matches the packet the rest will not be applied anymore.
Some flow debug will show you which policy got the packet.
diag debug enable
diag debug flow show console enable
diag debug flow filter  clear|list|<filter>
diag debug trace start <numberofpacketstotrace>
Probably filter for the destination ip (not sure if you could us FQDN here, probably not because this is ip layer) and then try to ping or http access the site from your client and watch your cli. 
Btw: if you want to identify the policy in gui you have to turn on the id column in the view first because the number shown by default is not the policy id and flow trace on cli shows the policy id.
Jump to:
© 2019 APG vNext Commercial Version 5.5