Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor


Hello ya'lll.

I'm having an issue, and I have no doubt I'm missing something simple, but try as I might I can't figure it out.


I'm setting up some Policies for "bypass" to allow servers to get out to the Internet for updates for certain products, and for our RMM tool.


Thing is, I've added bypasses for HTTP (80) and HTTPS (443) for several domains (* and * and they STILL show up in the "DENY" log. I can't figure out why it keeps getting "blocked".


I'm sure I'm missing something simple. Any guidance it massively appreciated.


Honored Contributor

just some hint:


if you use urlfilter rules check the order and mode of your rules. Deny rules have to be the last and allowing rules have to come before it as rules are processed top down. Also if there is a deny rule in urlfilter you have to set allowing rules to "exempt" instead of "allow" to have the urrlfilter stop processing rules once it hit the first one that matched.

Otherwise traffic would be denied even if there is an allowing rule before the deny one.


Policies are processed the same way. So make sure you bypass policies come in front of the deny policy(s). Otherwise the deny policy(s) would match first and policies - so to say - are allways "exempt".


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
New Contributor

Thanks for the assist!

Indeed, I only have a single "deny" rule for each "zone to zone" policy, and that is at the very bottom.

I don't use URL filtering currently. Essentially, all of the "NGFW" features of this box are effectively "off". It's just acting like an "allow/deny" box.


New Contributor II

This method relies on the FG being able to perform passive inspection of unencrypted DNS responses. 

I don't use wildcard FQDN myself, however I briefly worked in an environment where it had been configured but wasn't working. As a test, I configured the FG to act as a DNS server and pointed all of the internal clients at it. After this, the wildcard FQDN started working.

Didn't have any more time to spend on it - so unfortunately I can't shed any more light on it than this.


Hope this helps.



New Contributor

Unfortunately, I can't point all DNS to the firewall. Too much AD/LDAP/misc integration. While it's possible this may work, even if it does, it wouldn't be a tenable solution. Thanks regardless.

Top Kudoed Authors