|
In some cases, when the FortiGate loses internet access due to a reboot, power failure, or ISP issue, it may lose connectivity to FortiGuard, causing the web/DNS filters to stop working. For the FortiGate to reconnect to FortiGuard, it will send a DNS query to the configured DNS server to resolve the IP addresses of FortiGuard servers.
The internal DNS server will usually forward this query to a public DNS server, which may be subject to a DNS filter that blocks it due to the lack of connectivity to FortiGuard. In short, the DNS filter is causing the FortiGuard connectivity issue and vice versa.
To prevent this, a static domain filter for the wildcard domain '*.fortinet.net' can be configured in the DNS filter profile to whitelist FortiGuard domains.
Steps:
- Find the firewall policy allowing the internal DNS server to reach the public DNS server and the DNS filter profile applied to that policy:
- Configure the static DNS filter entry below to whitelist the wildcard domain '*.fortinet.net'.
Before and after:
Debugs when blocked by the DNS filter as below :
[707] __ssl_info_callback: SSLv3/TLS write client hello
[707] __ssl_info_callback: SSLv3/TLS write client hello
[707] __ssl_info_callback: SSLv3/TLS read server hello
[707] __ssl_info_callback: TLSv1.3 read encrypted extensions
[361] __ssl_crl_verify_cb: Cert error 18, self signed certificate. Depth 0
__upd_peer_vfy[329]-Server certificate failed verification. Error: 18 (self signed certificate), depth: 0, subject
: /O=Fortinet/CN=Fortiguard SDNS Blocked Page.
[1060] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate ver
ify failed.
|
