Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Blocking any website that only uses HTTP

Hi, I've trying to block any computers on my network from accessing sites that only uses HTTP. Currently I've tried blocking all the HTTP ports (80, 8008, 8080) but somehow it's still going through, does anyone know what I'm doing wrong?


I've uploaded the policy I created for this task. 

Valued Contributor

1) this policy should be ordered to be first in lan-wan policy

2) try in cli ->  conf firewall policy edit"policyID" set match-vip enable

--- NSE 4 ---

________________________________________________________--- NSE 4 ---________________________________________________________

If it is a newer Fortigate OS version you can start with Security Policy Lookup - enter port 80 etc and see that only your Deny policy is indeed matched.


To really know on what feature/policy this goes out, you'd need to run debug on cli:


# diagn debug flow filter ?  <-- Filter on something specific to the test, say IP address of remote website

# diag debug flow show function

# dia deb flow trace start

# dia deb enable

Yuri  blog: All things Fortinet, no ads.
Yuri blog: All things Fortinet, no ads.
Esteemed Contributor III

What I would do is do a application-control and with services  ports that are not 443.


To find what policy that are allowing http just use the  diag sys session and the filter




  diag sys session filter dport 80

  diag sys session list | grep policy_id


Than you can review those policyid# that's allowing the traffic flows



Ken Felix





PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors