Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CBInfo
New Contributor

Web filtering problem on one VLAN only

Hi,


I have multiple VLANs that are working just fine. The last one I created cannot acces some Microsoft website and the username field on iCloud.com won't show up for example. I tried to redo the VLAN multiple times the see where I f*d-up. I cloned the rules from another VLAN that is working fine. I created a rule allowing Microsoft365 Internet services and portal.office.com finaly loads but there is other glitches and you can see a lag when the page load.


Any help will be appreciated.


Thank you

 

Edit: even with web filtering disabled, iCloud won't work

Edit2: FortiGate 601E v7.2.8

Edit3: The problem is with the interface, not the VLAN

11 REPLIES 11
abarushka
Staff
Staff

Hello,

 

You may consider to use browser developer tool. It will help to identify which URL fails (status column) or slow (time column):

 

Firefox: application menu > more tools > web developer tools > network
Chrome: customize and control google chrome > more tools > developer tools > network

 

In case there is UTM configured, you may consider to disable UTM for testing purposes.

FortiGate
CBInfo
New Contributor

Thank you for the quick response.


What should I do next? Even with web filter disabled or with URL filter exceptions it won't work.

 

What do you mean by "disable UTM"?

Quint021
Staff
Staff

Hello @CBInfo,

Concerning disabling UTM, navigate to the firewall policy that is handling the traffic and proceed to edit the policy. Identify the Security Profiles that are enabled and toggle them off 1 by 1 for testing to see at any point if the issue is resolved. Please make sure to back up the config before such changes as well.

Kind Regards,

CBInfo
New Contributor

Thank you Quint021. I already tried that. With the web filter turned off, portal.microsoft.com is accessible with a lag but icloud.com is still the same.

Quint021
Staff
Staff

Hello @CBInfo<,

For the particular VLAN in question, do you have any type of traffic shaping associated with that interface?  In addition, what DNS servers are in use for the VLAN? If internal then you can try testing with public servers. 

Kind Regards, 

CBInfo
New Contributor

No shaping that I can see. The interface is setup like the other LAN interfaces. It is internal DNS like the other LAN interfaces. DNS and DHCP are on a Windows server.

abarushka
Staff
Staff

Hello,

 

I would recommend to check browser developer tool output (icloud.com) and sniff the traffic (icloud.com) and check for anomalies.

FortiGate
CBInfo
New Contributor

Hi and thank you to all of you who took the time to help me. I changed interface this morning and everything works fine. I still don't know why it's not working on the other interface...

hbac

Hi @CBInfo,

 

On the problematic policy, you can try to reduce tcp-mss values by running the following commands and test: 

 

config firewall policy
edit <policy id>
set tcp-mss-sender 1300
set tcp-mss-receiver 1300

end 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors