Skip to main content
DasFX
DasFX
New Member
June 5, 2014
Question

Can' t access to an allowed web

  • June 5, 2014
  • 7 replies
  • 14899 views
I tried Forticare but after they ask Config File I didn' t get any other answer (in a week or more) Here is the thing I need restricted users in my Work to entero to a Banking Page, there is 2 Profiles: Unrestricted people can access to " http://www.bicevida.cl/" and " https://acceso.bicevida.cl/pls/orasso/orasso.wwsso_app_admin.ls_login" . Restricted users also can access to http://www.bicevida.cl/ (Where they Log in) but after they Log it should redirect to a second webpage but it doesn' , it just sit down in a kind of 404 with URL wwww.bicevida.cl https://acceso.bicevida.cl/pls/orasso/orasso.wwsso_app_admin.ls_login and this one Both webpages are withelisted in Fortiguard AND our Firewall (300c)

      7 replies

      Adrian_Buckley_FTNT
      Staff
      Adrian_Buckley_FTNT
      Staff
      June 5, 2014
      The best way to figure out what' s happening is to run a debug while someone access the website diab deb url src-addr (enter the source IP) diag deb app url 255 diag deb en After that go to the URL from that src-addr. The debug output will show all the URLs that the FortiGate is filtering .. what is being allowed and what is being blocked. Maybe there' s a direct or some kind of sub-page being accessed that is getting denied, but the block page isn' t showing up due to the nature of the page that was blocked.
      DasFX
      DasFXAuthor
      New Member
      June 5, 2014
      diab deb url src-addr
      FG300C3913600481 # diab deb url src-addr 192.168.2.238 Unknown action 0
      rwpatterson
      rwpatterson
      New Member
      June 5, 2014
      diag mistype
      DasFX
      DasFXAuthor
      New Member
      June 5, 2014
      I' m sorry for not catching the typo, was so obvious. Connected FG300C3913600481 # diag deb url src-addr 192.168.2.238 FG300C3913600481 # diag deb app url 255 FG300C3913600481 # diag deb en FG300C3913600481 # msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226182, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=app.bicevida.cl:80, id=225960, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /WSEnvioClaveV2/faces/ingreso.jspx?" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=app.bicevida.cl:80, id=225961, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /Login2.0-Autoenrolamiento/faces/Login.jspx?" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226179, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /wp-content/themes/bicevida/login.php" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226180, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /contacto" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226183, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /productos-slide" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=app.bicevida.cl:80, id=225961, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /Login2.0-Autoenrolamiento/servletcaptcha" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226193, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /wp-content/themes/bicevida/library/fonts/glyphicons-halflings-regular.eot?" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226195, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /wp-content/themes/bicevida/library/fonts/glyphicons-halflings-regular.woff" Url matches local rating msg=" received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.bicevida.cl:80, id=226196, vfname=' root' , vfid=0, profile=' strict' , type=0, client=192.168.2.238, url_source=1, url=" /wp-content/themes/bicevida/library/fonts/glyphicons-halflings-regular.ttf" Url matches local rating When I click " Login button" on www.bicevida.cl the log doesn' t show anything extra my logs are only when the webpage load for the first time and there is no problem on the first page, the problem is when I try to log in.
      AtiT
      AtiT
      New Member
      June 11, 2014
      Hi, If you receive some kind of 404 page it means that the page does not exist on the server. It is not a webfitler problem. The webfilter will pass the connection or block it and you will see the webfilter blocking page.
      DasFX
      DasFXAuthor
      New Member
      June 11, 2014
      Isn' t a 404 it just says " Internet Explorer cannot display the Webpage" but in Spanish I Still don' t know what kind of Fortigate filter is acting on this Site. The web EXIST Unrestricted IP' s can access (LOG IN) without problems.
      netmin
      netmin
      New Member
      June 11, 2014
      Just a quick question: do your policies allow the ' restricted' group accessing the site using https protocol (443) ?
      AtiT
      AtiT
      New Member
      June 13, 2014
      Checking the logs should help. If there is nothing in the logs then try to switch off the Security Profiles one by one and see when the webpage is allowed. In this way you can find what profile blocked it.
      DasFX
      DasFXAuthor
      New Member
      June 13, 2014
      They Have access to HTTPS with SSL Inspection.
      DasFX
      DasFXAuthor
      New Member
      June 24, 2014
      I Was getting help from *********@fortinet (But was a basic help) then the case was elevated to ********* no_reply@fortinet but it' s a no_reply E-mail i Can not answer to him So is almost a Joke. Still can' t fix this issue.
      A
      Staff
      Admin_FTNT
      Staff
      June 24, 2014
      We ask that you do not publish the names of engineers nor give Fortinet email addresses in your posts. They have been removed from your message. Regards, Admin
      DasFX
      DasFXAuthor
      New Member
      June 24, 2014
      This corespond to an Oracle " app" that is being blocked when SSL Inspection is ON http://docs.oracle.com/cd/B14099_19/win.1012/relnotes.1012/relnotes/sso.htm
      Terms & ConditionsAccessibility statement