Description
This article describes how to troubleshoot an issue where some websites blocked in FortiGate's web filtering configuration are still accessible, detailing common causes and solutions to ensure effective website blocking.
Scope
FortiGate.
Solution
Let's take an example that the website https://adjaranets.com is accessible even though it has been blocked on Webfitler:
Web filter config:
Note:
The static URL is configured to block the website, but it remains accessible. The traffic matches the correct firewall policy and correct webfilter profile still the website is accessible.
By examining the Wireshark packet capture and logs, and discovered that a specific web access was getting allowed as a Cloudfare URL.
The packet capture shows that the URL 'challenges.cloudflare.com' is present in the SNI during the Client Hello(TLS Handshake) when accessing adjaranets.co
This indicates that the website is leveraging Cloudflare's infrastructure for SSL/TLS termination, causing FortiGate’s static URL filter to evaluate the request based on the resolved SNI rather than the originally intended domain. As a result, the access control policy does not apply to 'adjaranets.co' directly, allowing the connection despite the block rule in place.
The same can be verified with the help of HAR logs too. The below article can be referred to collect HAR logs: Troubleshooting Tip: How to gather a HAR file from Chrome
Blocking the URL 'challenges.cloudflare.com' on the web filter static URL is required to make it work.
Web filter config:
Attempting to access the website will result in it being blocked.
Related article:
Technical Tip: Deep seek is not blocking using webfilter static URL override
