Skip to Content

How to fix Web Filter Rating issue when using Proxy Address for URL category

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article specifically focuses on Proxy Address in FortiProxy.

Scope

FortiProxy v7.0.x, 7v.2.x and v7.4.x.

Solution

A website https://www.hkcaavq.edu.hk belongs to the category ‘Education’ but, it got denied because of belongs to the category ‘Meaningless Content’.

Proxy Address samples configuration:

A website https://www.hkcaavq.edu.hk belongs to the category 'Education' but, it got denied because of belongs to the category 'Meaningless Content'.

Run Wad debug while accessing to URL ‘https://www.hkcaavq.edu.hk’ to check further:

diag wad filter clear
diag wad filter src <x.x.x.x> <----- Client IP address.
diagnose wad debug enable category http
diagnose wad debug enable level info
diag debug en

Note: ‘diag debug’ is to stop the wad debug

In the Wad debug log, it shows that the effective category is ’55’ because the IP-rating is 55 which has a higher weight than 30.

It is then, choosing 55.

[I][p:1053][s:1265766649][r:1586] wad_send_url_request_new :1580 (0-Ok): cnt=1 id=1209() url='hkcaavq.edu.hk'[103.11.228.180] from=10.176.2.144 url-src=HTTP
cate=255 tasks=Rat
[I][p:1053][s:1265766649][r:1586] wad_url_choose_cate :2138 cate=55 (ftgd) ip-cates=[55,]; url=[ # 30,],ip=[ # 55,]; conf addr_rating_ip '':[96,98,99,6
8,69,72,75,83,86,93,37,55,57,59,61,63,1,3,4,6,7,8,11,]
[E][p:1053][s:1265766649][r:1586] wad_http_req_proc_policy :10063 POLICY DENIED

Run a CLI command ‘get webfilter categories’ to show all URL Category:

get webfilter categories
g06 General Interest - Personal:
30 Education
55 Meaningless Content

Note: Just list out the sample URL Category

The reason for choosing ’55’ is because ‘address-ip-rating’ in the protocol option is enabled by default.

Proxy-address category default enable ip-rating:

config firewall profile-protocol-options
edit "Default"
config HTTP
set ports 80
set address-ip-rating enabled (Default)
end
next
end

In the web Filter profile, the setting of ‘rate-server-ip’ is disabled by default.

Web filter profile default disables IP-rating:

config webfilter profile
edit "Default"
config ftgd-wf
set options rate-server-ip disabled (Default)

Note: When using a Proxy Address for the URL category, it will not use Web Filter Profile settings.

Solution Options:

  1. Submit a request to the FortiGuard Web Filter team via https://www.fortiguard.com/faq/wfratingsubmit to re-category IP address to the ‘Education’ Category or the right category.
  2. Disable the ‘set address-ip-rating’ in protocol option.