| Description |
This article describes the website getting blocked and Initial troubleshooting. |
| Scope |
FortiOS 6.0, 6.2, 6.4 ,7.0, 7.2 versions. |
| Solution |
In the following example, the website is getting blocked, steps to check:
Make sure the DNS resolution of the website is correct, check using the command below.
If DNS resolution is correct, run the following command to make sure, the traffic is hitting the correct policy:
Debug commands:
If the website is not accessible, check the debugs below:
# diagnose debug disable
# diagnose debug resset
# diagnose debug flow filter clear
# diagnose deb flow filter addr <source-IP> <destination-IP> --> IP address of the website that is not reachable
# diagnose debug flow filter port XXX -->xxx is port number which is testing e.g., HTTPS is 443
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
Check if the correct next hop taken, NAT is done properly, also check the policy being used is the correct one.
Make sure to check the policy which should be hitting for Source, Destination and Services.
If there is a specific service, try to change it to all and test.
To disable the debug: diagnose debug disable
Also, keep in mind policy is checked in the top to bottom format.
Check webfilter logs, SSL logs, Forward Traffic logs too.
Scenario 1:
Check if the SSL inspection is enabled:
Explanation: While using Certificate Inspection if web page is blocked, a certificate warning can be seen, that says 'page can not be trusted', and FortiGate will send a block page to the client with a self-signed certificate causing the browser not to trust it.
This is expected. To avoid certificate errors follow the below document:
Scenario 2:
If enabling web filtering is blocking the website, try to check the logs from web filter, it will show which category is blocking it.
Add exempt for the website which is getting blocked.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/615462/url-filter
Scenario 3:
Application like League of legends getting blocked by the firewall.
If Application Control is blocking it, add an exemption for it too just like in the webfilter.
Security Profiles -> Application Control -> Application and Filter Overrides -> Create New.
Use Add selected.
Apply changes to the Application Control profile.
Make sure gaming is allowed in other security profiles too.
Check if the game is accessible now.
For in-depth debugging:
# diagnose wad user list --> list of authenticated users, IP
# diagnose wad session list --> This will list all the sessions
# diagnose debug enable --> Need to enable to see output
# diagnose test application wad 1000 --> To list all the wad processes
# diagnose test application wad 155 --> to check total shared user count.
# diagnose wad filter clear --> To clear the filter
Review the below document:
If still not able to access the website/Application, create a ticket with TAC. |
