Hot!Web filter override

Author
Poseidonn
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/25 11:09:31
  • Status: offline
2018/09/25 11:19:05 (permalink)
0

Web filter override

Hi,
 
I´m tryng to make a web filter override to storage.live.com url.
 
I create a custom category, I associated the url, and in the web filter profile I allow the custom category.
 
But unfortunately when the client go to storage.live.com and he is is blocked 
 
The message in log
Category Description File Sharing and Storage
Message URL belongs to a denied category in policy
 
The firmware is FortiOS v6.0.2 build0163
System Operation Settings Flow-based
NGFW Mode Profile-based
 
What is my problem to override not working.
 
Regards
 

 

post edited by Admin_FTNT - 2018/09/25 12:07:26
#1
darwin_FTNT
Bronze Member
  • Total Posts : 34
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/04/24 18:12:28
  • Status: offline
Re: Web filter override 2018/09/25 14:53:29 (permalink)
0
Hi,
 
Would recommend to used FortiOS v5.6.x firmware instead and see if the feature works?  FortiOS v6.x image are the latest but many changes are still committed or new features will be added.  As far as I know (don't have specific statistics data), majority of users are still in v5.4.x or v5.6.x.  These firmwares are more stable as commits are important bug fixes only (rather than new features or code improvement changes).  Also firmware releases are being done in phases to avoid issues.  Webfilter profile inspection mode should be proxy as flow-based webfilter override (handled by IPS engine daemon) could be not working. Kindly open customer ticket to get the latest recommendation.  Thanks.
#2
sw2090
Gold Member
  • Total Posts : 202
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Web filter override 2018/09/26 23:18:17 (permalink)
0
Did it match the policy with the correct webfilter profile?
Policies are always exempt, i.e. once one policy matches the packet the rest will not be applied anymore.
Some flow debug will show you which policy got the packet.
 
diag debug enable
diag debug flow show console enable
diag debug flow filter  clear|list|<filter>
diag debug trace start <numberofpacketstotrace>
 
Probably filter for the destination ip (not sure if you could us FQDN here, probably not because this is ip layer) and then try to ping or http access the site from your client and watch your cli. 
Btw: if you want to identify the policy in gui you have to turn on the id column in the view first because the number shown by default is not the policy id and flow trace on cli shows the policy id.
#3
Jump to:
© 2018 APG vNext Commercial Version 5.5