Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
elementelist
New Contributor

access to specific website blocked

Hi all,

 

I have a strange problem on one of my 100D models.

Access to one website is blocked for some reason.

Outside the fortigate the website works so  it is an fortigate issue.

 

When running a packet capture i can see no ACK returning when browsing to this website.

Ofcourse i ran a packet capture outside the fortigate and i can see an ACK so it seems that the firewall is dropping this silently.

 

I read something about anti-replay and disabled it globally but it has no effect. all extra features like AV, web filtering and ips are all turned off. Basic firewall.

 

Fortigate 100D is running v5.6.11 build1700 (GA).

Should i update to v6 or do you guys have an idea why this website is blocked?

Thanks in advance!

3 REPLIES 3
anikolov
Staff
Staff

Hello,

 

Sometimes it happens that on the way to the web page, the packet are discarded due DF bit. You can try the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

Make a policy for the specific site (direct IP address, fqdn) lower the TCP-MSS send/receive to something low as 1000-1300 for testing purposes, then change it as high as you can using the ping commands in the KB.

 

Please let me know if this helps.

 

Regards,

Aleksandar Nikolov
elementelist

Hi Aleksandar,

 

Thanks for the tip but unfortunately it didnt help.
I tried multiple values (1000-1100-1200-1300) but the page still wont load.

attached you will find the details of the pcap of the lan itf.

199.71.177.211 is the ip of the website (https://my.unilinpanels.com/)

 

any other suggestions?

pcap_fortigate_unilinpanels.jpg

lol
Staff
Staff

Hello,

 

> Should i update to v6 or do you guys have an idea why this website is blocked?

Yes. FortiOS 5.6.x is a bit outdated.

It's out of engineering support since 2020-03-30 and out of support since 2021-09-30.

Your 100D can be upgraded up to the latest 6.2.x patch release.

Refer to https://docs.fortinet.com/upgrade-tool

 

It's highly recommended that you upgrade to the latest version which contains several code fixes also regarding stability and security.

 

This issue might already be resolved in a current firmware version.

If the issue is still observed on the latest 6.2.10 version then please open a support ticket and share the network capture with support.

 

Best Regards