Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
R1chou
New Contributor

Web Page Blocked - Category: Unrated

Hello,

 

I have a server in my DMZ which must communicate with my antivirus manager server in my LAN.

Ports used are 80 and 443

IP v4 rules are ok.

 

I encounter an issue when I try to access to the url [link]https://antivirusserver.domain.local[/link] from my DMZ server

I get the following message

Web Page Blocked!

You have tried to access a web page which is in violation of your internet usage policy.

URL: [link]https://F-Secure[/link] Policy Manager automatically generated self-signed certificate/ Category: Unrated User name: Group name:

To have the rating of this web page re-evaluated please click here.

 

If I disable the web filter in my rule I can browse the URL.

I tried to add antivirusserver.domain.local as a wildcard and allow it to static url filter but it doesn't work.

Allow tried to add the url to my white list in web rating overrides but it doesn't work.

 

Do you have an idea ?

Regards,

1 Solution
Toshi_Esumi
SuperUser
SuperUser

You must have either certificate inspection or deep inspection for SSL set on the hitting policy. I think it started blocking invalid certificates by default after 6.2. I would try separating a policy only for this particular traffic and apply a new inspection profile with either "Untrusted SSL certificate:Allow" or "Allow invalid SSL certificate" if your server can't have a valid cert. We encountered a similar issue with SSL VPN when we upgrade FGTs to 6.2.7, and did the former to mitigate.

By the way, you might want to move the virus mng server into DMZ.

View solution in original post

2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

You must have either certificate inspection or deep inspection for SSL set on the hitting policy. I think it started blocking invalid certificates by default after 6.2. I would try separating a policy only for this particular traffic and apply a new inspection profile with either "Untrusted SSL certificate:Allow" or "Allow invalid SSL certificate" if your server can't have a valid cert. We encountered a similar issue with SSL VPN when we upgrade FGTs to 6.2.7, and did the former to mitigate.

By the way, you might want to move the virus mng server into DMZ.

R1chou

Hello,

 

You are right, changing the ssl inspection allows me to access to the url (without adding the url to my white list or in static url filter).

 

Regards,

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors