Enable Full SSL Inspection on your firewall policies. Deploy the FortiGate CA certificate to all endpoints. Without this, your web filter is essentially blind. 2. IP-Based vs. Domain-Based Access FortiGuard primarily filters by domain name (URL/category). If a malicious server is hosted on a raw IP address (e.g., http://192.0.2.100/malware.exe ), and that IP is not categorized in FortiGuard’s database, the request may sail through.
A user or attacker can bypass domain reputation checks by using direct IPv4 or IPv6 addresses. They might also edit their local hosts file to map a blocked domain to an allowed IP. fortiguard web filtering bypass
FortiGuard can see the SNI (Server Name Indication) of an HTTPS request, but without full decryption, it cannot scan the URL path or page content. A user can visit https://blocked-category[.]com but if that site uses a valid certificate and you haven’t decrypted the traffic, FortiGate may allow the connection after only checking the domain against a basic blocklist. Enable Full SSL Inspection on your firewall policies