Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Web Page Blocked - No UTM profiles

Hello everybody,

We have branch office's in Europe (Austria, Germany, Serbia).
From today all location's have problem with network connectivity.
We are getting this error message when we are using our internal DNS servers:
"Web Page Blocked" or ERR_CERT_AUTHORITY_INVALID

I was in a call with Fortinet support for probably 4 hours but still we didn't find a solution.
It has to do probably something with European time change over the weekend.

All our traffic is being redirected to the FortiGuard SDNS servers, in this case to 208.91.112.55
Our DNS servers cant resolve anything, everything is being resolved to the exact ip address: 208.91.112.55
We also created a new policy without any UTM profiles but it's still the same.
They think that is some Fortinet internal problems and I'm waiting for them to give me some update.

Does anybody else had similar issues?
When we change DNS settings on clients machines to 8.8.8.8 browsing works.
All locations have their own DNS servers.

6 REPLIES 6
AnthonyH
Staff
Staff

Hello Infotech22,


Are the internal DNS server's pointing to fortiguard servers? You could try changing the forwarders to 8.8.8.8 and then on the fortigate restarting the following daemons listed:

diagnose test app urlfilter 99

diagnose test application dnsproxy 99


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Daylight-savings-time-changes-and-FortiGua...

Technical Support Engineer,
Anthony.
Infotech22

Hello Anthony,

Yes, they already tried that solution.
Currently in the Network > DNS  we have "Use FortiGuard Servers" configured.
They already tried with statically configuring 8.8.8.8 but the problem was the same.
"96.45.45.45" and "96.45.45.45" are being used dynamically for FortiGuard.


Port for FortiGuard is set to 443 HTTPS. When testing the connectivity everything is okay.

SupportA
New Contributor

Hello,

We just experienced the same issue with a client. Turns out it was the connectivity with FortiGuard servers that was in cause.
Check "diagnose debug rating" : if you have only one ipv6 then disable the FortiGuard Anycast as a workaround : "set fortiguard-anycast disable"

So far I don't know why it started failling in anycast without any reason.

Infotech22

Hello @SupportA,

The problem is resolved on our end. It's really confusing to be honest.
On 3 locations that we have the problem was resolved on 3 different ways.
On first location it was done by restart, second location by changing the port and fortiguard forwards, on third location it was done by itself. 

So I don't know what to say about it 

alexandrelcs
New Contributor

I think I understand the problem.

We also have the same problem in France and Spain following the time change in Europe this weekend.

The problem seems to be solved after restarting the FortiGate.
But also, without restarting the FortiGate, by switching to "restric to" "EU only" in "Update server location".2024-04-02_12h15_40.png

andreas_freitag
New Contributor

We encountered similar issues with various firewalls in Switzerland and other European countries, seemingly triggered by the transition from standard time to daylight saving time. There are several workarounds available; all of them can be implemented and subsequently reverted back to their default settings while continuing to function correctly. These solutions include switching to anycast, altering the global DNS settings, or opting for EU-only configurations.

Additionally, despite our inquiries, Fortinet has not yet acknowledged in the ticket that the issue is related to the transition to daylight saving time, stating they have no other customers experiencing the same problem.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors