He ran diagnose debug flow on the firewall. The logs showed the traffic hitting the correct policy. It matched the URL. It applied the webfilter profile. Then, the magic:
Carla’s video started playing.
He cleared his browser cache. Nothing. He tried a different PC. Blocked. He even set the override to “Allow” for the entire domain. Still, the FortiGate returned a cheerful yellow block page: Category: Adult / Sex Education. fortigate web rating override not working
Not a category block. An error .
He logged in. There it was: . The URL was listed with a big green checkmark – “Allow.” The static filter was above the FortiGuard category list. It should have worked. He ran diagnose debug flow on the firewall
And he set the fallback action to for the HR VLAN. It applied the webfilter profile
He fixed the DNS, forced a FortiGuard update via CLI ( execute update-now ), and watched the debug flow switch to: