Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎01-09-2025 12:36 AM Edited on ‎01-09-2025 12:40 AM

Akamai-CDN traffic is blocked

Hi,

I have ipv4 policy rule to allow traffic to bitdefender servers like:

*.bitdefender.com

*.bitdefender.net

with both ports 80 and 443 TCP.

But when I go to transfer logs, I see that traffic is still blocked:

 

185.225.250.26 (update-onprem.2d585.cdn.bitdefender.net)443 Akamai-CDN Deny

 

and many other subdomains of .bitdefender.net with application name Akamai-CDN.

Why this traffic is blocked as I allowed every (wildcard) subdomains for this traffic?

 

Labels:
910
0 Kudos
6 REPLIES 6
Yurisk
SuperUser
SuperUser

Created on ‎01-09-2025 12:43 AM

If you could post more of the actual log it'd easier to point in the right direction. 

It may be allowed by Web Filtering but then blocked by AppCOntrol. If you are not using Security profiles in a rule, only FQDN *.bitdefender, may be DNS resolving by FGT and by clients in the LAN differ. Again without knowing the rule you are using and what FGT mechanism blocks this traffic it is just a guess.

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
896
Tutek
Contributor
In response to Yurisk

Created on ‎01-09-2025 02:38 AM

On this ipv4 policy there is no App Control or Web Filter security profile applied. 

Only AV and IPS.

878
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎01-09-2025 07:16 AM

Hi @Tutek ,

 

Can you share your firewall policy about how you are allowing it?

Regards,

Jerry
831
0 Kudos
Tutek
Contributor
In response to dingjerry_FTNT

Created on ‎01-09-2025 08:42 AM Edited on ‎01-09-2025 09:01 AM

 

 

 

config firewall policy
    edit 117
        set name "Bitdefender_Internet"
        set uuid 3cb9e45e-ab2e-51eb-0902-1e63e406c495
        set srcintf "Zone_Mgmt"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "Bitdefender_SRV"
        set dstaddr "Bitdefender_Internet"
        set schedule "always"
        set service "HTTPS" "HTTP"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "AV-default"
        set ips-sensor "IPS-Mgmt"
        set nat enable
        set comments "Bitdefender to Internet"
    next
end
FGT (addrgrp) # edit "Bitdefender_Internet"

FGT (Bitdefender_Internet) # show
config firewall addrgrp
    edit "Bitdefender_Internet"
        set uuid 19721a98-ab2e-51eb-e689-dc885e657614
        set member "*.bitdefender.com" "*.bitdefender.net" "download.bitdefender.com" "upgrade.bitdefender.com" "lv2.bitdefender.com" "submit.bitdefender.com" "*.ubuntu.com" "*.cdn.bitdefender.net" "update-onprem.2d585.cdn.bitdefender.net"
    next
end

 

 

Zrzut ekranu 2025-01-09 175357.png

 

Once the traffic is allowed by the rule, other time it is not:

Zrzut ekranu 2025-01-09 175908.png

 

816
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Tutek

Created on ‎01-09-2025 08:53 AM

Hi @Tutek ,

 

So you defined the wildcard FQDN address objects? 

 

I do not recommend that you use it.  

 

1) You need to ensure that the DNS traffic is passing through the FGT device;

2) Even if FGT uses the same DNS servers as the clients, they may still get different resolved IPs.

 

So you may consider using the web filter (URL Filter) instead.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-static-URL-filter-feature-to-allow...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-URL-Filter-expressions-for-the-FortiGate/t...

 

You may use the URL Filter even if you do not have a valid Web Filter license.

 

Regards,

Jerry
803
dingjerry_FTNT
Staff
Staff
In response to Tutek

Created on ‎01-09-2025 09:15 AM

Hi @Tutek ,

 

As per the screenshot of the logs, most of them were denied by the implicit policy.

 

That means the IPs do not match the ones resolved (wildcard FQDN) on FGT. 

 

Please check this KB on how to verify the FQDN IPs in the DNS cache:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-verify-the-FDQN-IP-address-in...

Regards,

Jerry
783
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.