This is a newly configured Firewall. we try to enable the web filter in that. LAN pc's connect to the internet before enable the web filter. But after enable the web filter it's not connect to the internet. all configuration done correctly step by step.
1. Configure the LDAP server (Bind type - Reguler)
2. Configure the single sign on (Enable polling)
3. Configure the IPv4 policy
but after these steps LAN users can't access the internet.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To be correct:
It does block the complete internet if it has no valid license or cannot reach the Fortiguard Servers to check.
Maybe you could use flow debug to see what your packets are doing on your fgt.
diag debug enable
diag debug flow filter <filter|list|?> (a "?" will have it show available filters , "list" will list the current filters)
diag debug flow show console enable (you want to see something on cli do you *g*)
diag debug flow trace start <numberofpackets> (stop will stop it again)
Mostly this gives you a clue what goes wrong with your packets...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hello, SecurityPlus.
yes i have green checks in the Dashboard and Fortiguard. I logged in via cli to the box but was not able to send an ping.
FG-240D-1 # execute ping www.heise.de 7215: Unknown action 0 Command fail. Return code -1
When the uer try to Access a Webpage with aktive filter in the policy than Comes an error message that says
"An error occurred while trying to rate the website using the webfiltering service. Web filter service error: all Fortiguard servers failed to respond "
Note: After i wrote this post. i called the Support. I had some Problems to understand the guy on the phone but when i understood correct he says that there was a Server issue at the Weekend and that i should call back on monday.....
Interesting. Please let us know if this was the cause of the issue.
I am real confused about that error. Today i got that there is a timeout for do a website rating no server is answering. I wonder if its just cause i did the update at the weekend that my services need be registered again. If there is a general problem i would expect that more people complaining and that maybe some write here. I tested the default webfilter but there was no message sure cause there is all allowed. I also tried to create a complete new webfilter but that also not worked. I also not understand why its not possible to do execute commands in the cli. Maybe something went wrong during the update. But lets see what the support says on monday.
BR
Marco
SecurityPlus wrote:Hello, yes the Problem is solved but not with help of fortigate Support at the Moment my ticket is escalated to the next Level. So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888. I opened this port in our Internet Firewall and immediately the connection to the fortigate servers was working. the box registered the services and web filter started working again.
Any update that you can provide?
I double checked the logging and it was really an automatic change that the box did after the update. Maybe I should have more early the idea to check this part but I was sure I not changed nothing so I expected all work like before.
BR
Marco
I noticed this as well when moving to 5.6.5. It wasn't mentioned in the release notes, but it is mentioned in the "Ports and Protocols" document: https://docs.fortinet.com/uploaded/files/3606/fortinet-communication-ports-and-protocols-56.pdf as having changed in 5.6.3.
Just to confirm, it was another firewall that was blocking 8888, not the FortiGate itself?
Yes it was another firewall. We use the fortigate cluster as layer 2 firewall for Application Filter,Webfilter and IDP. The connect to the Fortigate Server is done with the MGMT Interface. This is connected to another firewall where we just allowed special ports that are needed.
BR
Marco
marco_d wrote:So what happen was that after the upgrade from 5.4.9 to 5.6.5 the web filtering port changed from 53 to 8888.
We also experienced this and reported it to Fortinet as a bug, which was acknowledged. I requested it be included in the release notes as a warning to others but have not checked if the latest notes includes it.
In our case we changed the port back to 53 and Fortiguard could be contacted again.
Jonathan
FYI, they never included it in the release notes. Feel free to reopen your ticket! ;)
To be correct:
It does block the complete internet if it has no valid license or cannot reach the Fortiguard Servers to check.
Maybe you could use flow debug to see what your packets are doing on your fgt.
diag debug enable
diag debug flow filter <filter|list|?> (a "?" will have it show available filters , "list" will list the current filters)
diag debug flow show console enable (you want to see something on cli do you *g*)
diag debug flow trace start <numberofpackets> (stop will stop it again)
Mostly this gives you a clue what goes wrong with your packets...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.