hm I retested with a policy now that does have full inspection enabled (and with different url). The policy is definietely matched and the the target of the forward is not blocked by cathegory.
Still I have the same behaviour even with enabled full inspection:
Even though there is an exempt rule for that url in url filter it still gets blocked by cathegory. If I set a rating override for it to a cathegory that is in the reputation list in the ssl profile it dies not get blocked any longer.
To me that looks like if deep inspection does not care for webfilter profiles and url filters and just only looks at its owb whitelist by cathegory. This is not very satisfying. In times of more and more *censored* tracking and putting everything into some cloud this will also create a security risk as you mostly have to whitelist most of the cloud since rating override only works for domains.
I verfied that now: as long as there is an url filter exempt rule in the webfilter profile applied to the policy the site is accessible if you use http. It is still blocked when you use https as it is not in a reputable cathegory.
So looks to me as if you cannot use any webfilter profiles with https atm. SSL Inspection allows filtering by fortiguard cathegories only. Filtering sepcific urls is obviously impossible atm.
I also openened a TAC Ticket for this and annother issue connected to it. TAC will do a remote session with me at a yet-to-be negotiated time and date to have a close look at this.
post edited by sw2090 - 2020/06/15 05:41:33