Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎12-30-2025 04:59 AM Edited on ‎12-30-2025 08:27 AM By Staff

Article Id 424667

Troubleshooting Tip: Unable to access the website when the FQDN firewall address is enabled as a destination address on the firewall policy

Description

This article describes how to check the domains and IP addresses used by a specific website.
Scope FortiGate, FortiProxy.
Solution

Sometimes a specific website is accessible when the firewall address 'all' (address 0.0.0.0/0) is enabled as the destination address on firewall policy, but the same website is not accessible when an FQDN firewall address is enabled on the policy. This means the FQDN address on FortiGate has not been resolved for all required destination IP addresses to permit the traffic, or that not all required FQDN firewall addresses have been enabled in the firewall policy. In both cases, the HTTP/HTTPS request coming from the client side is dropped.


Follow the steps below to find out the exact domains and IP addresses used by a specific website:

 

  • Contact the website owner to get list of the domains used for the website in question. If contact is not possible for any reason, follow the steps below to list the exact domains used by the website.
  • Make sure logging is enabled on the firewall policy:

       

config firewall policy

    edit <policy ID>
        set logtraffic all

        set logtraffic-start enable

    end

       

config firewall proxy-policy

    edit <policy ID>

        set logtraffic all

        set logtraffic-start enable

        set log-http-transaction enable

        set extended-log enable

    end

 

  • Close all browsers on the user's PC.
  • Flush the DNS database on the client PC via the command line:

 

ipconfig /dnsflush

 

  • Run the following sniffer on FortiGate to collect all DNS requests coming from the client side:

 

diagnose packet any "host <client IP address> and port 53" 6 0 l

 

Alternatively, the pcap file can be collected via the GUI in FortiGate. Go to Network -> Diagnostics, select 'New packet capture', enable Incoming local interface, set 'Maximum captured packets' to at least for 100 or higher, enter the port 53 and the client IP address in the filter section. Proper administrative privileges is required to access and start captures under Network -> Diagnostics -> Packet capture

Below article describes the step by step process to collect packet capture from GUI and available options or filters that can be used as required while collecting a packet capture: 

 

Troubleshooting Tip: Packet Capture on FortiOS GUI

 

 

  • Open Wireshark on the user's PC and filter the Wireshark to DNS port using udp.port==53.
  • Open a second Wireshark on the user's PC and filter the Wireshark to tcp ports using tcp.port==80 || tcp.port==443.
  • Run the following commands on FortiGate to get the IP address for the FQDN firewall addresses and the resolved IPs for the DNS requests by client:

 

diagnose test application dnsproxy 6

diagnose test application dnsproxy 7

diagnose test application dnsproxy 13

 

  • Open only the website in question on the user's PC.
  • At the end, take following actions:
  1. Check the destination IP addresses in the second wireshark and compare it with the resolved IPs of the FQDN addresses enabled on the firewall policy.
  2. List and compare all of the DNS requests in first Wireshark one-by-one with the the FQDN addresses enabled in the firewall policy.
162
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.