Technical Tip: Allowing website access from blockl...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 408716

Description

This article explains how to allow access to a legitimate website blocked by category-based filtering by whitelisting both its frontend and backend URLs.

Scope

FortiGate.

Solution

When accessing a website, the URL entered in the browser (for example, https://fortinet.com) typically represents only the frontend application.
However, some sites may rely on additional backend domains to deliver resources such as data, images, scripts, authentication, or updates. Therefore, if a FortiGate web filter is configured to recognize the visible frontend domain, it may also block these backend calls. This will result in the site being partially or completely unusable.

For example, a legitimate site like (https://pkf.greythrpro.com/login) appears blocked by a category-based web filter.
Exempting only the visible URL won’t work, because the filtering is triggered by the backend domain the site uses — in this case (https://prod.greythrpro.com/ ), as shown in the FortiGate denied traffic logs (see attachment below).

Website not accessed.jpg

Website Backend URL.jpg

Thus, to ensure successful access to this website, administrators should whitelist the related backend/CDN domains or both the frontend URLs for the best results (see attachment below).

223

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Allowing website access from blocklists with backend and frontend URLs

You are leaving our website