Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
latyeo
New Contributor

Web rating error

Hi   We recently upgraded from 6.0.5 to 6.0.9 and then changed the Fortiguard protocol from UDP to HTTPS.  Since then we are occasionally getting block messages 'An error occurred while trying to rate the website using the webfiltering service.

 

I've looked at the kb article https://kb.fortinet.com/k....do?externalID=FD33528 but am slightly confused about the sentence "This will allow users to access the web sites when a rating error occurs, and will allow the FortiGate unit to use the FortiGuard Web Filtering database that it has stored on the unit to rate the web site."   Can I just confirm that it means when it can't reach fortiguard it will rate the website using the local db and will allow/block access accordingly.  Just looking at the option on the FG "Allow websites when a rating error occurs" suggests that it is going to allow it whatever the rating is.   Thanks for your time

1 Solution
TecnetRuss
Contributor

When "Allow websites when a rating error occurs" is enabled it means:

 

  • If the rating for the URL is in the cache, the FortiGate will apply the matching profile action for that cached rating, e.g. block, warn, monitor, allow, etc.
  • If the rating for the URL is not in the cache, the FortiGate will default to "allow" and allow the traffic through.

Keep in mind that the "local DB" cache is only a cache of the ratings for recently visited websites.  It is a very small list compared to the full FortiGuard database.  With this setting enabled there is a very good chance that traffic will get through to sites that would otherwise be blocked, so enable it at your own risk.

 

The reason that "a rating error occurs" happens more often with HTTPS vs. UDP is that Fortinet doesn't seem to have the same capacity to handle HTTPS web ratings lookups compared to UDP.  If you run "diag debug rating" when in UDP mode vs. HTTPS mode you'll see that there are far more servers available to respond to UDP ratings lookups vs. HTTPS.

 

Russ

NSE7

View solution in original post

5 REPLIES 5
TecnetRuss
Contributor

When "Allow websites when a rating error occurs" is enabled it means:

 

  • If the rating for the URL is in the cache, the FortiGate will apply the matching profile action for that cached rating, e.g. block, warn, monitor, allow, etc.
  • If the rating for the URL is not in the cache, the FortiGate will default to "allow" and allow the traffic through.

Keep in mind that the "local DB" cache is only a cache of the ratings for recently visited websites.  It is a very small list compared to the full FortiGuard database.  With this setting enabled there is a very good chance that traffic will get through to sites that would otherwise be blocked, so enable it at your own risk.

 

The reason that "a rating error occurs" happens more often with HTTPS vs. UDP is that Fortinet doesn't seem to have the same capacity to handle HTTPS web ratings lookups compared to UDP.  If you run "diag debug rating" when in UDP mode vs. HTTPS mode you'll see that there are far more servers available to respond to UDP ratings lookups vs. HTTPS.

 

Russ

NSE7

latyeo

Thanks Russ, that makes sense now.

dmh
New Contributor

So does everyone have to turn this on in general?

 

I've upgraded to 6.4.1 and have tried HTTPS and UDP 53/8888 and still get rating errors all the time.

 

Am in Australia.

rohittarang

@TecnetRuss..But how we can avoid this error ? What is the root cause behind it ? How to solve it permananetly.

TecnetRuss

I can't say for sure, but I suspect this is a capacity issue with the FortiGuard rating servers getting overloaded occasionally and the HTTPS protocol is more sensitive to delays compared to a fast, connectionless protocol like UDP.  Also, the default FortiGuard setting is to use anycast, and I've found that with anycast enabled, these errors seem to happen more often.

 

In my experience, if you're seeing a lot of "a rating error occurs" messages in the logs, use the UDP protocol and disable anycast for your FortiGuard settings.  This is all covered by this Fortinet Tech Tip:

 

Technical Tip: FortiGuard is not reachable via Any... - Fortinet Community

 

You're trading off security (encrypted HTTPS) vs. reliability (unencrypted UDP), but then again, if you have "allow websites when a rating error occurs" enabled, lack of reliability is a security issue.  If you find that disabling anycast and/or enabling UDP resolves the ratings errors, ideally you would set "allow websites when a rating error occurs" back to disabled.

 

Russ
FCSS Network Security

Labels
Top Kudoed Authors