FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
ctanev1
Staff
Staff
Article Id 192883
Description
FortiClient Web Filter and Block Malicious Websites options require connection to FortiGuard servers to check URL rating. FortiClient connects to FortiGuard using port 8888 TCP/UDP.
In some situations access to FortiGuard will be blocked - for example, when using WiFi HotSpots, where Internet connection will not be available until accepting disclaimer on HotSpot web page.
This article describes how to
configure FortiClient to allow web traffic when FortiGuard is unreachable.
Scope


Solution
By default, FortiClient now blocks all web traffic when FortiGuard is unreachable:


See FortiClient 6.0.1 (Windows) Release Notes - What’s New in FortiClient (Windows) 6.0.1 section.

It is possible to configure FortiClient to allow web traffic when FortiGuard is unreachable using XML configuration:
<forticlient_configuration>
    <webfilter>
        <profiles>
            <profile>
                <categories>
                    <fortiguard>
                        <action_when_unavailable>allow</action_when_unavailable>
Here are the configurable actions in case of an unavailable FortiGuard:

allow
Allow full, unfiltered access to all websites
deny
Deny access to any website
warn
Display in-browser warning to user, with an option to proceed to the website
monitor
Monitor site access

see FortiClient XML Reference - XML Configuration File > Web Filter section.

From FortiClient EMS 6.0.3 this option is available in GUI.

Endpoint Profile>Web Filter>Site Category >Rate IP Address>Allow or Deny when rating error occur.

ctanev_[object Window]_FGFC.png


Contributors