FortiOS 6.2: IPS Engine Update affects behaviour of Web Filter Overrides

Are you running FortiOS 6.2.x and your Web Filter Overrides suddenly stopped working? Then read ahead.

If you’re just looking for the solution, here’s the summary: The latest IPS Engine Update changes the way your Web Filter Overrides are applied. Simply said an “Allow” doesn’t result in an “Allow” anymore and you’ll have to change the Action for your Local Categories to “Monitor” if you’d like to further apply and allow them in your Web Filter Profile.

Only the Local Categories are affected: If you’re running FortiOS 6.2.x, change them to Monitor if you’d like to apply and allow them.

Here’s the background:

In November, Fortinet announced an IPS Engine Update in the Customer Support Bulletin CSB-201111-1:

A new IPS engine version 5.229 will be released from the FortiGuard Distribution Network in a phased approach starting on November 17th.  It will be released to FortiGate devices with a valid IPS subscription running FortiOS versions 6.2.4 to 6.2.6. 

Surprisingliy a big change isn’t mentionend in this CSB, but the release notes of FortiOS 6.4.2 give you the details:

In 6.4.2, the host will be rated as the configured local rating only when that category is explicitly configured in a web filter profile.

In 6.2.1-6.2.4 and 6.4.0-6.4.1, currently the local/remote rating is still at the global or VDOM level. After the next IPS engine public release, the behavior will be changed to be the same as 6.2.5/6.4.2.

Now comes the misleading thing: While the FortiOS 6.2 GUI shows you an Allow action, the required references for the new IPS Engine are missing in the web filter profile. It only becomes obvious, if you compare the CLI and GUI configuration between FortiOS 6.2 and 6.4 side by side (watch how custom2 changes):

No Web Filter Override

config webfilter profile
  edit "custom"
    config ftgd-wf
      unset options
      end
  next
end
= Allow in FOS 6.2
= Disable in FOS 6.4

Web Filter Override with Logging

config webfilter profile
  edit "custom"
    config ftgd-wf
      unset options
      config filters
        edit 141
          set category 141
        next
      end
    end
  next
end
= Monitor in FOS 6.2
= Monitor in FOS 6.4

Web Filter Override without Logging

config webfilter profile
  edit "custom"
    config ftgd-wf
      unset options
      config filters
        edit 141
          set category 141
          set log disable
        next
      end
    end
  next
end
= Monitor in FOS 6.2
= Allow in FOS 6.4

There’s only one explanation for this weird situation: The GUI of FortiOS 6.2 isn’t ready for the latest IPS Engine.

Leave a Reply

Your email address will not be published. Required fields are marked *