FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 193291

Description

This article describes how to resolve the issues with 'web filter block override' and 'invalid FortiGuard filtering override request'.

 

Scope

 

FortiGate.

 

Solution

 

Configure the FortiGate to use local/custom categories and/or to use FortiGuard categories.
The FortiGate uses some ports to communicate with FortiGuard to validate/verify each category.
Sometimes, the Internet browser shows a message like this:

 
kb-nov2016.jpg

 

'Web filter block override' / 'invalid FortiGuard filtering override request' is shown because the website is using a port configured in the FortiGate to connect with FortiGuard only for 'web rating override'.

These ports are as follows:

 

  • Port 8008 is used by the FortiGate to authenticate with FortiGuard when a http override request occurs (FortiGuard web filter http override authentication).
  • Port 8010 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs (FortiGuard web filter https override authentication).
  • Port 8015 is used by the FortiGate to authenticate with FortiGuard when a https override request occurs in flow mode (FortiGuard web filter https override authentication).
  • Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.


The solution, in these cases, is to disable these ports or to change the ports.
Configure at least a port not used by the FortiGate (example: change 8008 by 9008, or 8010 by 9010, or 8020 by 8030).

Example to disable the ports:

 

config webfilter fortiguard
   
set close-ports enable
end

 

Example to change the ports:

 

config webfilter fortiguard
    set ovrd-auth-port-http 8008
    set ovrd-auth-port https 8010
    set ovrd-auth-port-https-flow 8015
    set ovrd-auth-port-warning 8020
end

 

Change:

 

config webfilter fortiguard
    set ovrd-auth-port-http 9008
    set ovrd-auth-port https 9010
    set ovrd-auth-port-https-flow 9015
    set ovrd-auth-port-warning 9020
end

 

Related articles