Description
This article describes the scenario where the FortiGuard Web Filtering option "Rate URLs by domain and IP address" is enabled.
In this situation, the rating response from an FortiGuard Distribution Server (FDS) for a particular URL might differ from its IP address. This is very common in scenarios of Virtual Hosting, where one IP address of one physical server will host multiple services and URLs.
Therefore, if the IP address rating belongs to a blocked category, the access to the URL will be blocked regardless of the rating of the URL.
Summary
- How to check if an URL gets two different ratings, one for the IP address, and one for URL
- How to look for categories numbers
- How to make live verification of rating response :
How to check if an URL gets two different ratings, one for the IP address, and one for URL
Use the following command to dump the FortiGuard WEB cache :
FGT# diag test application urlfilter 3 (only works if WEB filtering cache is enabled)
Example of output:
FGT # diagnose test application urlfilter 3
Saving to file [/tmp/urcCache.txt]
Cache Contents:
-=-=-=-=-=-=-=-
Cache Mode: TTL
Cache DB Ver: 93.4437
Domain |IP DB Ver T URL
29000000|34000000 93.4437 E http://www.mytestrating.fr/
34000000|34000000 13.28635 E http://www.fortinet.com/
Notes
- in the above example the domain www.mytestrating.fr is in category (Hex) 29, while the IP address is in category (Hex) 34.
- the numbers above are given in hexadecimal, while in the FortiGate CLI configuration, the numbers are displayed in decimal. The www.fortinet.com domain will therefore be in category Hex34 = Dec52 (see example of category below , 52 = Information Technology)
How to look for categories numbers
Example :
FGT#
config firewall profileFGT
# edit TESTFGT
# (TEST) get
ftgd-wf-enable :
g01 Potentially Liable:
1 Drug Abuse
2 Occult
3 Hacking
4 Illegal or Unethical
5 Racism and Hate
6 Violence
57 Marijuana
58 Folklore
[...]
g07 Business Oriented:
49 Business
50 Information and Computer Security
51 Government and Legal Organizations
52 Information Technology
53 Armed Forces
[...] |
How to make a live verification of rating response
Use the following CLI commands to check the rating requests and responses :
FGT# diag debug enable
FGT# diag debug application urlfilter -1 (.........to stop it : diag debug application urlfilter 0 )
FGT## id=93000 msg="pid=57 urlfilter_main-723 in main.c received pkt:count=91, a=/tmp/.thttp.socket/21" id=22009 msg="received a request /tmp/.thttp.socket, addr_len=21: d= ="www.goodorg.org:80, id=12853, vfid=0, type=0, client=192.168.3.90, url=/" id=99501 user="N/A" src=192.168.3.90 sport=1321 dst=<dest_ip> dport=80 service="http" cat=43 cat_desc=“Organisation" hostname="www.goodorg.org" url="/" status=blocked msg="URL belongs to a denied category in policy"
Solution
If the rating for an IP address blocks access to a site, the solution is to disable “Rate URLs by domain and IP address”.
Related Articles
Rate site by URL and IP address
Troubleshooting FortiGuard
FortiGuard Web Filtering Category and Classification numbers / FortiGate configuration and troublesh...
FortiGuard Web Filtering Override Guide ; configuration examples
