This article describes the website getting blocked and Initial troubleshooting.

FortiOS 6.0, 6.2, 6.4,7.0, 7.2, 7.4 versions.

In the following example, the website is getting blocked. Take the following steps to troubleshoot the issue.

Make sure the DNS resolution of the website is correct by using the command below.

If the DNS resolution is correct, run the following commands to make sure the traffic is hitting the correct policy:

Debug commands:

If the website is not accessible, check the debugs below:

diagnose debug disable

diagnose debug resset

diagnose debug flow filter clear

diagnose deb flow filter addr <source-IP> <destination-IP>  <----- IP address of the website that is not reachable.

diagnose debug flow filter port XXX  <----- xxx is the port number which is testing e.g. HTTPS is 443.

diagnose debug flow show function-name enable

diagnose debug console timestamp enable

diagnose debug flow trace start 999

diagnose debug enable

Check if the correct next hop is taken and NAT is performed properly. Additionally, check the policy being used is the correct one.

Make sure to check the policy which should be hitting for Source, Destination and Services.

If there is a specific service, try to change it to all and test.

To disable the debug:

diagnose debug disable

Additionally, keep in mind that the policy is checked in the top-to-bottom format.

Check the webfilter logs, SSL logs, and Forward Traffic logs too.

Scenario 1: 

Check if the SSL inspection is enabled: 

Explanation: While using Certificate Inspection if web page is blocked, a certificate warning can be seen, that says 'page can not be trusted', and FortiGate will send a block page to the client with a self-signed certificate causing the browser not to trust it. 

This is expected. To avoid certificate errors, follow the guidance in Technical Tip: Certificate warning while accessing FortiGate.

Scenario 2: 

If enabling web filtering is blocking the website, try to check the logs from web filter, it will show which category is blocking it. 

Add exempt for the website which is getting blocked. 

URL filter - FortiGate cookbook.

Scenario 3:

Applications like League of Legends are getting blocked by the firewall. 

If Application Control is blocking it, add an exemption for it, just like in the webfilter. 

Security Profiles -> Application Control -> Application and Filter Overrides -> Create New.

Use Add selected. 

Apply changes to the Application Control profile.

Make sure gaming is allowed in other security profiles too. 

Check if the game is accessible now. 

For in-depth debugging,  enable WAD logs as described below. 

diagnose debug console timestamp enable
diagnose wad debug enable category ssl
diagnose wad debug enable level verbose
diagnose wad debug display pid enable
diagnose wad filter src 192.168.1.1 <----- Source IP of the client.
diagnose wad filter dst 8.8.8.8     <----- Destination IP (not mandatory , when it is applicable). 

To check WAD debug status:

diagnose wad debug show
Category: ssl
Level: verbose
Save debug on crash: disabled
Display: pid enabled

To check WAD debug filters:
diagnose wad filter list
drop unknown sessions: disabled
source ip: 1.1.1.1-1.1.1.1
dest ip: 8.8.8.8-8.8.8.8

Enable debugging with:

diagnose debug enable

To list the sessions for this filter:

diagnose wad session list 

To stop debugging:

diagnose debug dis
diagnose debug reset
diagnose wad debug filter clear

Review Technical Tip: WAD troubleshooting commands.

If it is still not possible to access the website/application, create a ticket with TAC.