Access Denied - The page you requested has been blocked by a firewall policy restriction.

itcba · ‎06-04-2024

Hi,

i'm using VIP to redirect traffic based on hostnames to my NAS

I'm using Origin Server Certificates obtained from cloudflare that also manages my DNS.

Anyway, i'm seeing this error while trying to visit the login page:

The certificate is considered valid. Anyway in the logs i see a lot of accepted but timed out connections.

Any tips?

ozkanaltas · ‎06-05-2024

Hi @itcba ,

I reviewed the debug logs again. I saw a lot of "func=av_receive " line=444 msg="send to application layer" or "func=ip_session_output line=661 msg="send to ips" . That's why I asked you to review the security logs and try it without a security profile.

However, can you access port 443 of the 10.30.0.1 IP address from the internal network or via Fortigate?

Can you also try removing the http host setting under the virtual server configuration?

unset http-host "express.cba-design.it"

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

Yes sorry i did the try without any security profile applied but i see the same error:

I can reach the NAS from the internal network, and i can ping it from the fortigate.

How do i use the command you sent?

ozkanaltas · ‎06-05-2024

Hello @itcba ,

Also, can you change the ssl-inspection profile to no-inspection?

You can do the same thing without a command by removing the fqdn in this field.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

Unfortunately it doesn't change anything.

The strange part is that there is no log about that! I can't find anything related to this issue!

ozkanaltas · ‎06-05-2024

Hi @itcba ,

Thats weird.

If you use DNS only mode instead of proxy mode in cloudflare, is there any difference?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

No differences with the dns-only mode.

ozkanaltas · ‎06-05-2024

Hi @itcba ,

I saw you use "ssl-mode full "in your configuration. Did you install acme- express certificate on your NAS drive?

If you say no, can you install it and then try again?

if you say yes, Is Cloudflare providing you a CA certificate for acme-express? If yes, can you install this certificate to FortiGate on the System->Certificate section?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

I'm not able to import it on my NAS because my synology is asking me for a private key. That certificate is obtained from LE directly from the fortigate and i'm not sure i'm able to obtain its private key