Troubleshooting Tip: DNS Filter profile: Redirect to Fortinet Secure DNS service portal shows error while 'Web Page Blocked!' page is displayed

This article describes why the browser shows the error ‘Not secure’ or ‘Warning’ when the DNS Filter profile redirects to the ‘Fortinet Secure DNS service Portal’.

Sometimes when users try to access a website, the following error can be seen:

'You have tried to access a web page which belongs to a category that is blocked.'

If the browser tab has the label 'Fortinet Secure DNS Service Portal', the possible reason behind this could be the FortiGate DNS filter.

To verify if it is blocked by the DNS filter, follow the below steps:

1. From the PC exhibiting this behavior, go to the command prompt.
2. Type nslookup.
3. Enter the domain name. If the particular record resolves to FortiGate DNS block IP 208.91.112.55. It means, DNS filter block-action: redirect has replaced the DNS response.

The default behavior of the DNS filter profile for block action is redirect. It redirects the browser to the Fortinet Secure DNS service portal IP 208.91.112.55:

FortiGate-70F (default) # get

name                : default

block-action        : redirect

When FortiGuard Category Based Filter categories are set to Redirect to Block Portal, the DNS response will use this IP address in its response to the client. If the client is accessing the domain on a web browser, it will be redirected to the block portal page on this address.

It is expected behavior that the browser cannot match the Common Name (CN) FortiGuard SDNS Blocked Page presented by the SDNS portal in the certificate against the blocked domain accessed by the user.

For example, when the user tries to access Python which belongs to the FortiGuard-based category ‘Information Technology’ and it is blocked by the DNS filter profile, the browser will connect to 208.91.112.55 and receive a certificate with CN that does not match the request it made.

If the domain is not expected to be blocked, consider checking the expected action based on the DNS filter profile for the domain or check the FortiGuard server connectivity by using the command diag debug rating.

More information on how to create static DNS filters to allow the traffic can be seen in the below article:

Technical Tip: Static DNS filter to allow/block DNS queries

More information on FortiGuard server connectivity is found at Troubleshooting Tip: Resolving FDS Communication Issues (FortiGuard Distribution Servers).

If there are concerns with presenting these errors/warnings to end-users then consider other DNS Filter actions such as block or block-sevrfail. The downside is that users will not receive the 'Web Page Blocked' splash page and may be less clear on why the website could not be accessed. The browser tab will mention 'Server Not Found':

config dnsfilter profile
    edit <DNS profile name>
        set block-action redirect | block | block-sevrfail

block            Return NXDOMAIN for blocked domains.
redirect         Redirect blocked domains to SDNS portal.
block-sevrfail   Return SERVFAIL for blocked domains.

Set block-action as Redirect.

config dnsfilter profile
    edit <DNS profile name>

        set block-action redirect   <---

Workaround:

• The DNS Filter is not enabled in the Firewall policy.

• On the logs, the traffic matches the right policy and is 'Accepted'.

• Change the configuration on the FortiGuard part:

config system fortiguard

    set fortiguard-anycast disable

    set sdns-server-ip 173.143.142.16  208.91.112.220

    set port 8888

The web page will not be blocked by the ‘Fortinet Secure DNS service Portal’.