Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff

Created on ‎10-16-2019 07:23 AM Edited on ‎11-28-2022 01:02 AM By Moderator

Article Id 198606

Technical Tip: Management VDOM should have Internet connection

Description

 

This article explains why Management VDOM should have an internet connection.
When VDOMs are used, VDOM managers might encounter problems that FortiGate is not working as expected.

The typical VDOM setup:

 

 
Users from a company network have an Internet connection and do not experience any problems with the network.
 
But FortiGate does not block web pages by the Web Filter.
 
The debug output of the Web Filter shows the reason:
 
msg="Policy allows URLs when a rating error occurs" user="N/A" src=10.188.3.239 sport=50465 dst=185.60.216.35 dport=80 service="http" hostname="facebook.com" status=passthrough error="all Fortiguard servers failed to respond" url="/"
 
msg="received a request /tmp/.ipsengine_213_0_0.url.socket, addr_len=37: d=facebook.com:443, id=9, cat=255, vfname='VDOM-A', vfid=2, profile='cust-vdom-A-webfilter-profile', type=1, client=10.188.3.239, url_source=3, url="/"
 
msg="Cache miss" user="N/A" src=10.188.3.239 sport=50466 dst=185.60.216.35 dport=443 service="https" hostname="facebook.com" url="/"


Solution

 

The FortiGate uses DNS, FortiGuard and other servers through the management VDOM.

Make sure the FortiGate has Internet access from the management VDOM to ensure that services like Web Filtering works.

Now the Web Filter debug shows the expected behavior:

 

msg="received a request /tmp/.ipsengine_214_0_0.url.socket, addr_len=37: d=facebook.com:443, id=13, cat=255, vfname='VDOM-A', vfid=2, profile='cust-vdom-A-webfilter-profile', type=1, client=10.188.3.239, url_source=3, url="/"

 

msg="Cache miss" user="N/A" src=10.188.3.239 sport=50505 dst=185.60.216.35 dport=443 service="https" hostname="facebook.com" url="/"
action=10(ftgd-block) wf-act=3(BLOCK) user="N/A" src=10.188.3.239 sport=50505 dst=185.60.216.35 dport=443 service="https" cat=37 hostname="facebook.com" url="/"

 

On FortiOS 7.2.3+ is added a new feature that allows Fortiguard services and updates to be used with a non-management VDOM:

 

Technical Tip: How to use non management VDOM for Fortiguard services and updates  

 

Related Articles

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

12589
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.