Description
In FortiOS 3.0 and 4.0 the warning message "Invalid or missing protection profile id" may be seen when accessing certain web sites.
This article explains how to bypass TCP Port 8010 when using FortiGuard Web Filtering for HTTP/HTTPS if an external website is hosted on the same TCP port and an override message is displayed on a user's browser.
This will only be seen while having FortiGuard Web Filtering and overrides enabled.
Scope
All FortiOS Versions.
Solution
This message is seen when a website uses TCP port 8008. This HTTP port is also the port that FortiOS uses for web filter overrides.
As this port is also used in internal FortiOS communications it must be changed from this default to remove these conflicts with valid HTTP traffic.
From FortiGate Command Line Interface for FortiOS 3.0 and FortiOS 4.0
1. Check the default port to use for FortiGuard web filtering HTTPS override authentication. The default value for HTTP and HTTPS are 8008 and 8010:
FG300B3908606800 (fortiguard) # set ovrd-auth-port-https <integer>
please input integer value
FG300B3908606800 (fortiguard) # get
cache-mode : ttl
cache-prefix-match : enable
cache-mem-percent : 2
ovrd-auth-port-http : 8008
ovrd-auth-port-https: 8010 |
2. Connect to the CLI and configure the following parameters:
|
#config webfilter fortiguard
(fortiguard) # get
|
cache-mode : ttl
cache-prefix-match : enable
cache-mem-percent : 2
ovrd-auth-port-http : 58000 <-- now 58000, was 8008
ovrd-auth-port-https: 58002 <-- now 58002, was 8010
ovrd-auth-https : enable |
