Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Enveloc
New Contributor

Some websites blocked, others not - web filtering feature disabled

New user of Fortigate hardware here, so we are just trying to set this thing up right now. Have it attached to a standalone workstation with no web access (because we are going to replace our current gateway/router with this one)

 

As I said, the web filtering feature is disabled on the firewall, but certain websites are being blocked while others are not.

For example: Amazon.com cannot be reached and the error makes no sense to me.

 

We will worry about fine level tuning and blocking later. For now, I need to be able to get to ANY website from any PC on our network. Any suggestions?

15 REPLIES 15
Toshi_Esumi
Esteemed Contributor III

How are you testing web filtering, or no web filtering, with "no web access" you mentioned first?

Enveloc

I have it configured to replace our current gateway/router, but I can only connect it to the network temporarily (replacing the existing one) for testing since it is NOT the gateway yet. When I plug it in, I go to my workstation and test connectivity. Email works, RDP works and many websites open with no issue. However Amazon and Facebook (for example) do not. I can't tell the exact error I get right now because I can't do the swap during the middle of the day.

 

Hopefully after 2pm I can try again and I will get the actual error.

rwpatterson
Valued Contributor III

Enveloc wrote:
...For example: Amazon.com cannot be reached and the error makes no sense to me...

 

For starters, what is the error message?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Enveloc

I get one error in Chrome and a different one in MS Edge. I would post screen shots but apparently that is not supported here, you can only post URLs for pictures from the web.

 

Anyway, Edge says:

 This site is not secure This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

Go to your Start page Details Your PC doesn’t trust this website’s security certificate.

Error Code: DLG_FLAGS_INVALID_CA

Because this site uses HTTP Strict Transport Security, you can’t continue to this site at this time.

 

 

Chrome says: An application is stopping Chrome from safely connecting to this site.

"Fortinet" wasn't installed properly on your computer or the network

 

Try uninstalling or disabling "fortinet"

Try connecting to another network

 

NET::ERR_CERT_AUTHORITY_INVALID

 

Then, under "advanced," it says: "Fortinet" isn't configured correctly. Uninstalling "fortinet" usually fixes the problem.

Applications that can cause this error include Anti-virus, Firewall and web-filtering or proxy software.

 

 

I have not installed ANY software along with this firewall and do not have "Fortinet" installed or otherwise present to my knowledge. And this would make no sense if other websites display with no issues.

 

metz_FTNT

The error means the same - your browser doesn't trust the CA which signed the ssl certificate. The first thing you should check is what is the issuer of the presented certificate. In chrome and all browsers is similar, simply click the padlock in the address bar, look for certificate "issuer". 

If you see Fortinet as issuer, that means fortigate is re-signing the certificate and acts as man-in-the-middle. May be you have deep-inspection profile applied or fortigate is trying to re-direct you to authentication page or deliver some replacement message which requires traffic decryption, there might be many reasons depends on your configuration.

Enveloc
New Contributor

Forgot to mention this is a 60E.

pyy
New Contributor III

Hi Try to lower your wan interface mtu (1462) especially if you are using PPPoE or xDSL connection

and disable full ssl inspection if it is enabled.

Best Regards pyy

Ranga
New Contributor

Typically webfilter would not allow traffic through by default if the license had expired on it. You can verify the license using "get webfilter status".Even though ICMP allowed web traffic may not allowed.

You can try turning off all UTM features so Fortinet will operate without nextGen features. 

Olamie
New Contributor

Hi,

how was this issue eventually resolved. i am currently experiencing the same issue on two fortigate 50E devices. please help

 

Labels
Top Kudoed Authors