Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MIsmail
New Contributor

Created on ‎05-01-2023 12:42 AM

Blocked HTTPS Traffic

Hii
Could someone help me please to identify the problem 
I don't know why this traffic is blocked and it affects our ADSync Server online syncronization 

 

Screenshott.png

Labels:
3039
0 Kudos
2 Solutions
Markus_M
Staff
Staff
In response to MIsmail

Created on ‎05-01-2023 05:42 AM

First remove the webfilter from the policy to see if it starts working in the first place. Based on the policy view there is no web filter applied at this time. Just to make sure.

If it fails working, there is no point troubleshooting anything on the webfilter since it has no direct affect. The traffic is blocked BEFORE the webfilter will be applied.

When the traffic is working fine, then apply webfilter etc. to the traffic. You will also need minimum certificate inspection, better a deep inspection as FortiGate can only block what it can read. Encrypted traffic cannot be read.

 

Next is that your initial screenshot show a different source interface (port1 vs port2). See if that is the pattern on the failure.

Check if the interface group/zone called "outside" contains both port1 and port2 - I would suspect that is not the case, based on the logs.

 

 

Best regards,

 

Markus

View solution in original post

2922
0 Kudos
sw2090
Honored Contributor

Created on ‎05-02-2023 12:23 AM

He is getting "implicit deny" as one of the first repliers already wrote.

This means that traffic did not hit ANY policy but policy #0 ("implicit deny") and thus got denied.

So it is of no use to try to disable Filters on policies because they are not hit.

I would suggest to check why this traffic doesn't hit any policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2908
0 Kudos
13 REPLIES 13
Markus_M
Staff
Staff
In response to MIsmail

Created on ‎05-01-2023 05:42 AM

First remove the webfilter from the policy to see if it starts working in the first place. Based on the policy view there is no web filter applied at this time. Just to make sure.

If it fails working, there is no point troubleshooting anything on the webfilter since it has no direct affect. The traffic is blocked BEFORE the webfilter will be applied.

When the traffic is working fine, then apply webfilter etc. to the traffic. You will also need minimum certificate inspection, better a deep inspection as FortiGate can only block what it can read. Encrypted traffic cannot be read.

 

Next is that your initial screenshot show a different source interface (port1 vs port2). See if that is the pattern on the failure.

Check if the interface group/zone called "outside" contains both port1 and port2 - I would suspect that is not the case, based on the logs.

 

 

Best regards,

 

Markus

2923
0 Kudos
msanjaypadma
Staff
Staff
In response to MIsmail

Created on ‎05-02-2023 12:58 AM Edited on ‎05-02-2023 12:59 AM

Hi @MIsmail ,

Logs did not captured correctly.  try again.

 

Mayur Padma
862
0 Kudos
MIsmail
New Contributor
In response to msanjaypadma

Created on ‎05-02-2023 03:39 AM

Hi @msanjaypadma 
Thanks for caring, I tried to bybass the firewall and found that the traffic fail still exist
so the fortigate is not responsible for the failure.

thanks

852
0 Kudos
sw2090
Honored Contributor

Created on ‎05-02-2023 12:23 AM

He is getting "implicit deny" as one of the first repliers already wrote.

This means that traffic did not hit ANY policy but policy #0 ("implicit deny") and thus got denied.

So it is of no use to try to disable Filters on policies because they are not hit.

I would suggest to check why this traffic doesn't hit any policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2909
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.