Hi all,
I have a strange problem on one of my 100D models.
Access to one website is blocked for some reason.
Outside the fortigate the website works so it is an fortigate issue.
When running a packet capture i can see no ACK returning when browsing to this website.
Ofcourse i ran a packet capture outside the fortigate and i can see an ACK so it seems that the firewall is dropping this silently.
I read something about anti-replay and disabled it globally but it has no effect. all extra features like AV, web filtering and ips are all turned off. Basic firewall.
Fortigate 100D is running v5.6.11 build1700 (GA).
Should i update to v6 or do you guys have an idea why this website is blocked?
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Sometimes it happens that on the way to the web page, the packet are discarded due DF bit. You can try the following KB:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
Make a policy for the specific site (direct IP address, fqdn) lower the TCP-MSS send/receive to something low as 1000-1300 for testing purposes, then change it as high as you can using the ping commands in the KB.
Please let me know if this helps.
Regards,
Hi Aleksandar,
Thanks for the tip but unfortunately it didnt help.
I tried multiple values (1000-1100-1200-1300) but the page still wont load.
attached you will find the details of the pcap of the lan itf.
199.71.177.211 is the ip of the website (https://my.unilinpanels.com/)
any other suggestions?
Hello,
> Should i update to v6 or do you guys have an idea why this website is blocked?
Yes. FortiOS 5.6.x is a bit outdated.
It's out of engineering support since 2020-03-30 and out of support since 2021-09-30.
Your 100D can be upgraded up to the latest 6.2.x patch release.
Refer to https://docs.fortinet.com/upgrade-tool
It's highly recommended that you upgrade to the latest version which contains several code fixes also regarding stability and security.
This issue might already be resolved in a current firmware version.
If the issue is still observed on the latest 6.2.10 version then please open a support ticket and share the network capture with support.
Best Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.