FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Description
This article explains why Management VDOM should have internet connection.
When VDOMs are used, VDOM managers might encounter problems that FortiGate is not working as expected.


The typical VDOM setup:

Users from a company network has Internet connection and doesn’t experience any problems with network.
But the FortiGate doesn’t block web pages by the Web Filter.

The debug output of the Web Filter shows the reason:

msg="Policy allows URLs when a rating error occurs" user="N/A" src=10.188.3.239 sport=50465 dst=185.60.216.35 dport=80 service="http" hostname="facebook.com" status=passthrough error="all Fortiguard servers failed to respond" url="/"
msg="received a request /tmp/.ipsengine_213_0_0.url.socket, addr_len=37: d=facebook.com:443, id=9, cat=255, vfname='VDOM-A', vfid=2, profile='cust-vdom-A-webfilter-profile', type=1, client=10.188.3.239, url_source=3, url="/"
msg="Cache miss" user="N/A" src=10.188.3.239 sport=50466 dst=185.60.216.35 dport=443 service="https" hostname="facebook.com" url="/"

Solution
The FortiGate uses DNS, FortiGuard and other servers through the management VDOM.

Make sure the FortiGate has an Internet access from the management VDOM to ensure that services like Web Filtering works.

Now the Web Filter debug shows expected behavior:
msg="received a request /tmp/.ipsengine_214_0_0.url.socket, addr_len=37: d=facebook.com:443, id=13, cat=255, vfname='VDOM-A', vfid=2, profile='cust-vdom-A-webfilter-profile', type=1, client=10.188.3.239, url_source=3, url="/"
msg="Cache miss" user="N/A" src=10.188.3.239 sport=50505 dst=185.60.216.35 dport=443 service="https" hostname="facebook.com" url="/"
action=10(ftgd-block) wf-act=3(BLOCK) user="N/A" src=10.188.3.239 sport=50505 dst=185.60.216.35 dport=443 service="https" cat=37 hostname="facebook.com" url="/"


Related Articles

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Contributors