Fortigate 201F on 7.0.14 firmware.
Website: www.reliafund.com
We use this site for ACH transactions on a daily basis, so it's pretty important.
According to the Fortiguard webfilter, this site was updated to a malicious category on Feb 12, 2024. Prior to that we never had an issue. So, starting yesterday, this site is no longer accessible. I’ve submitted three requests for reliafund.com to be recategorized and all three are denied due to a supposed infection. I’ve escalated those requests only to be denied again. We see two different block pages, seen below. Not sure if that's relevant.
Here's what I've tried...
Multiple browsers have the same experience. Yes, I know it wouldn't matter, but I'm only stating what I've tried.
Multiple PCs accessing the internet through different outgoing firewall policies WITH different security profiles are blocked.
Forward traffic logs so success, although that IP is related to Fortiguard.
Creating a URL filter bypass is not successful.
Creating a web rating override is not successful.
I also tried an allowed DNS filter, but that fails as well. For some reason, after saving the change and editing to make sure the filter was there, it disappears. Not sure if that's a bug or not.
Lastly, I created an FQDN entry for reliafund.com and then created a new policy for that entry with no security profiles. That didn't work either. When looking at forward traffic logs, an incorrect policy appears under policy ID. It should be Warboard->WAN. You'll notice that the correct policy appears around the 21 hour mark in the screenshot. That's me troubleshooting yesterday. Today is when the incorrect policy appears.
I can upload screenshots of the forward traffic log details, but again, that IP is for Fortiguard, not Reliafund.com. Through my cell phone I was able to momentarily connect, but then the page automatically redirected me to an ad. (This was from my home wifi, not work.)
I am currently in communication with Reliafund operations. They informed me that all customers using Fortigate firewalls/Fortiguard services have this issue. Customers who do not use Fortigates have no issue accessing the site.
I'm at a loss here. I have to unblock this site but I'm out of idea and Fortiguard is of no help. Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Talked with TAC and here is the resolution. Basically, I needed to flush DNS cache on my test PC or the DNS server.
Problem summary:
----------------------------
* Unable to allow URL through FortiGate.
* Static domain filter entry doesn't stick after saving the changes.
Observations:
----------------------------
* Yesterday afternoon www.reliafund.com was recategorized as Finance and Banking, so this issue is indeed resolved now.
* As to why this wasn't working for you after trying to allow it though:
You have both web filtering and DNS filtering applied on your FortiGate. From your screenshots, the web filtering overrides/exemptions were correctly configured. The block page you were receiving was for your DNS filter. It was not working on your test PC with no UTM enabled because:
1. The PC likely had the block page IP still cached for that domain; and/or
2. The PC is querying an internal DNS server, who in turn will hit the DNS filter profile when it sends its own recursive query out to the Internet.
Even if you had removed DNS filtering or allowed the domain for your DNS server, your DNS server still would have had the entry for the block page in its own cache as well for a time. These are some things to consider and keep in mind for the future in case you run into a similar problem again.
* With respect to the problem where the changes to the static domain filter wouldn't stick, we found that this was due to adding a trailing slash (/) to the domain. Since this is not relevant for DNS queries, after removing the trailing slash the entry saved to the profile as expected.
Just figured out the incorrect policy name. Since Reliafund is blocked, it cannot resolve the FQDN address entry I created. I found the real IP (72.168.70.153) and then created a subnet address entry and added that to the policy. When using policy lookup, it now hits the correct policy. I've confirmed this in forward traffic logs by the absence of any traffic to that IP since FG blocks it.
Looks like the site was re-categorized overnight because it is now accessible. I'd still like to know why I wasn't able to unblock with all of the known solutions. I have a ticket in with support. If I get an answer as to why, I'll post back here.
Talked with TAC and here is the resolution. Basically, I needed to flush DNS cache on my test PC or the DNS server.
Problem summary:
----------------------------
* Unable to allow URL through FortiGate.
* Static domain filter entry doesn't stick after saving the changes.
Observations:
----------------------------
* Yesterday afternoon www.reliafund.com was recategorized as Finance and Banking, so this issue is indeed resolved now.
* As to why this wasn't working for you after trying to allow it though:
You have both web filtering and DNS filtering applied on your FortiGate. From your screenshots, the web filtering overrides/exemptions were correctly configured. The block page you were receiving was for your DNS filter. It was not working on your test PC with no UTM enabled because:
1. The PC likely had the block page IP still cached for that domain; and/or
2. The PC is querying an internal DNS server, who in turn will hit the DNS filter profile when it sends its own recursive query out to the Internet.
Even if you had removed DNS filtering or allowed the domain for your DNS server, your DNS server still would have had the entry for the block page in its own cache as well for a time. These are some things to consider and keep in mind for the future in case you run into a similar problem again.
* With respect to the problem where the changes to the static domain filter wouldn't stick, we found that this was due to adding a trailing slash (/) to the domain. Since this is not relevant for DNS queries, after removing the trailing slash the entry saved to the profile as expected.
Oh, need to mention for those who see this down the road... The white block page is a DNS block. The second block with FortiGuard is the category violation block. This should help troubleshoot how you work your bypass in your Fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.