Incorrect filter

Hi Alex_Aleks,

Kindly confirm whether the HTTP URL http://digitaltwin-datadev-ds1.com/ is publicly accessible over the internet or hosted internally.

You can create a basic firewall policy without attaching any security profiles and set SSL inspection to 'no-inspection'. In this configuration, the firewall will simply allow traffic to pass through. After applying this policy, check if you're able to access the URL

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-firewall-policy-configuration/ta-p/193255

Please confirm whether the URL resolves to the IP address 138.199.132.66.

If the issue still persist, collect the sniffer packet and debug logs and attach

CLI1:

diagnose sniffer packet any "host y.y.y.y and port 80" 6 0 l -------------- where y.y.y.y is the destination IP address

CLI2:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr < destination - IP >
diagnose debug flow filter dport 80
diagnose debug flow trace start 1000
diagnose debug flow show function-name enable
diagnose debug enable

Regards!

Hi @Alex_Aleks ,

You can exempt the url in the webfilter by using static url

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-static-URL-filter-feature-to-allow-block/ta-p/193086

Another way is to create a policy and keep it on top and create fqdn address and put the url address as the destination address

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/217973/using-wildcard-fqdn-addresses-in-firewall-policies

First of all, this URL is categorized as "Newly Observed Domain" at FortiGuard webfilter lookup.
https://www.fortiguard.com/webfilter

Do you happen to use Web category filters? If so, try allowing (exempt) "Unrated" category.

Toshi