Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ArifS
Contributor

User can't access website

One of our user always get error that "URL blocked by Forticlient" and he has to refresh few time to make it working, please details error message screenshot. I already added all the website in exclusion list under web filter, but it still blocks. When he disconnects from telemetry or work offsite, it loads all the website without errors.  I am working from the same location and I never had any issue. 

Forclient ver. 7.2.2

Forticlient EMS: 7.2.2

Forticlient Error.pngFortiGuardEMS.JPG

1 Solution
ArifS
Contributor

I think the issue fixed after i set "Allow websites when rating errors occurs' to Allow.  This is option is under Endpoint Profiles - Web Filter. 

View solution in original post

9 REPLIES 9
ozkanaltas
Valued Contributor III

Hello @ArifS ,

 

Are FortiGuard urls/IPs accessible from your office network? 

 

Can you check firewall logs related to problematic clients? Because FortiClient gives an error about the "FortiGuard rating service is inaccessible".

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ArifS

How do I check if the Fortiguard urls/ip accessible?

What is the ip address of FortiGuard URLs

In the EMS server log viewer, i only see AD sync logs, so I set the log level to Debug to see if it capture more logs.

ozkanaltas
Valued Contributor III

You can review this document about FortiGuard addresses. Also, you need to check your configuration. Do you use Anycast or Legacy for webfiltering? You can check this setting in your web filter profile.

 

https://docs.fortinet.com/document/forticlient/7.2.4/administration-guide/539869

 

image.png


You can check traffic on your FortiGate, whether clients trying to connect these addresses or not. 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ArifS

I checked URL rating, and it was set to legacy which means it uses usfgd1.fortigate.com server outbound port 8888 for Global. We tried accessing usfgd1.fortigate.com on port 8888 and didnt work but it responded on port 443. So I changed URL rating to Anycast and then tried accessing those webiste and it still blocks. I can't find any useful info in the logs.

ozkanaltas
Valued Contributor III

Hello @ArifS ,

 

Can you create a policy on your firewall with internet service (Fortinet-FortiGuard)? After that can you try to access the related website from a client? 

 

Also, can you review the traffic log in in "forward traffic" area?  

 

For example like that.

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ArifS

After changing  url rating to Anycast, both unix and mac users can't get to the internet from lan or from home network when using forticlient. it blocks everything. please see the attached screenshot of the mac user's web filter logs. It says that Blocked (Failed to rating). Let me see if I can get our firewall to make changes.

ArifS
Contributor

I think the issue fixed after i set "Allow websites when rating errors occurs' to Allow.  This is option is under Endpoint Profiles - Web Filter. 

ozkanaltas
Valued Contributor III

This will solve the problem temporarily. If your clients constantly experience this problem, forticlient will allow all websites. Actually the blocks you make will not work.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ArifS

Ever since we deployed forticlient, we see website blocked logs under web filter even though website works fine.  But when we installed forticlient on unix, it started blocking website for that machine only. By allowing website in case of error communicating with fortiuard rating server, fixed the issue.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors