I would check to see if the issue is related to Google's QUIC Protocol (UDP port 80, 443), which both Google Chrome and Firefox will try to use if a website supports this protocol. In FortiView, under destination the fgt may list QUIC if it is being used. KB FD36680 provides 3 possible ways to block this protocol usage.
The other thing about facebook/youtube is (at least in youtube) both sites use wild card *. security certificate. Keep this in mind if the fgt is not using deep packet inspection mode.
Dave Hall - BTW thank you, I add the QUIC services in Fortigate then create a 2 new Policy with same IP range, one is I deny the QUIC then the other one is the policy for Internet allowed policy, It's works in Firefox but not in Google Chrome., Still accessible.
I also block the QUIC in Application Control, is their any way that I can block facebook and youtube from accessing that I can add in my FW, thanks thank sir so much appreciated the suggestion and help.
Here is the logs from the Forward traffic, but the site was still accessible even I block the QUIC in Application control and deny the UDP port 443 and port 80
TIA.
Both Facebook and Youtube uses a wildcard security certificate - in Youtube's case, it uses Google's wildcard security certificate - depending on inspection mode (SSL Certificate Inspection vs Full SSL Inspection) the fgt may not fully see what site a device is connecting to.
Other things to keep in mind:
If you choose to block the QUIC protocol - you really only need to create one firewall policy that blocks it and move it to or near the top of the firewall rule chain.
Firewall policies (rules) are executed from top-to-bottom - when a rule is triggered (match found) it stops processing further rules (below it) (there is I think one exception to this is an identifying rule ?). So if you are trying to block something, place that firewall rule above any general rule (that would allow that content).
Almost all (if not all) of the major web sites/services make the use of other domains to redirect traffic or pull resources from other domains. Both youtube and FB make the use of content delivery networks (CDNs). Most of the fgts we manage are located at remote educational sites that have no on site IT personnel, so there is no real computer/domain support - all web filtering is performed via security certificate only - so generally we can only block sites based on whatever name appears on the security certificate and/or by static or FQDN addresses. (Note this is for HTTPS connections.)
Web filter URL rules override "FortiGuard category based filters", so if you have issues blocking sites based on categories, you could try crafting url filters rules. Another option (which only works on domains or FQDN) is to reclassify a site using "Security Profile-> Web Ratings Overrides".
Enable Device Detection on the internal LAN interface - this will allow the fgt to identify devices - you can use "Users & Device-> Device Inventory" to see what devices (and how many) are on your internal network.
For troubleshooting blocking/unblocking issues on devices - your best tool on the fgt is FortiView - I like to use "FortiView->Sources" and "FortiView->Destinations", and along with "Log & Report->Web Filter" (assuming you have enabled logging on security events). You can drill down to the individual sessions to see what is allowing/blocking connections.
