1

I keep having an important website https://crdc.communities.ed.go v, for from working to blocked by FortiGate. It’s a 601E with DNS/Web filtering on. I have tried everything, turned off all services, looked for events/errors nothing shows as the problem. I have had Fortigate support 3 times look at it, gets it to work than in an hour goes back to block.

I have whitelisted the domain ed.gov in web filter, DNS, etc, .ed.gov/, still nothing, anyone run into this? I am running OS 6.4.8 on it

6 Spice ups
2

What is the specific block reason - without it we can’t offer much.

3

Web Page Blocked! You have tried to access a web page that belongs to a category that is blocked.

But nothing in the logs, nothing in the events, and category lookup, it’s in an accepted category:

Government and Legal Organizations

4

It was awhile ago but I remember there being some quirkiness when we attempted to modify one of the out-of-the-box web filters.

If you’re using one of those try cloning it and making the changes again then use the cloned filter instead.

5

@ethanharris ​ Thanks, I just tried a clone and redirect to it, same msg :frowning:

6

8361b2bc-852e-46dd-bd02-7f906634c4f6-Screen_Shot_2022-03-04_at_8.56.43_AM.png
8361b2bc-852e-46dd-bd02-7f906634c4f6-Screen_Shot_2022-03-04_at_8.56.43_AM.png679×569 47 KB

Well you’ve probably already checked, but that full URL seems to be categorized correctly on their DB. But, also:

70c630fc-73f2-4d60-a6d8-4126df20f927-Screen_Shot_2022-03-04_at_8.58.21_AM.png
70c630fc-73f2-4d60-a6d8-4126df20f927-Screen_Shot_2022-03-04_at_8.58.21_AM.png683×536 34.4 KB
I’m curious if part of that URL is being flagged, maybe? If you’re not blocking that URL/category, I’d certainly open a ticket with FortiSupport.
7

@chad-automox ​, when I do a nslookup, it shows:

df227d10-38be-4f8f-a4a2-2206a22e19fd-crdc.png

I added the qipservices.com as a whitelisted domain as well, still no luck :frowning:

1 Spice up
8

@chad-automox ​, oh also I did contact Fortigate support, 3 times so far, they say its a DNS filter issue, and they think they get it solved, but its that the site is opening and closing at what appears to be at random times during the day, could be there is a document inside the site being flagged, but again there is no diagnostics to point to what. DNS filter was turned off, the same thing happens.

If I got to another customer, and try it behind their Sonicwall NSA, it appears to work, except when I add the qipservices.com, so https://crdc.communities.ed.gov.qipservices.com gets an invalid cert error, which kinda makes sense4100aa1a-f02a-436f-88ef-9cc2bb6db62f-cert-error.png

1 Spice up
9

That’s pretty weird. Can you test from a machine that’s completely bypassing the firewall? I looked up that URL with another provider (BrightCloud) and it shows two categories:

f82e4920-4999-489c-8a1f-695f0f7cac86-Screen_Shot_2022-03-04_at_9.53.49_AM.pngIf you’ve whitelisted the IP/URL and support is still saying it’s DNS, I’d maybe check for a secondary DNS that has some kind of content filtering. I personally use Cloudflare for Families at home (1.1.1.3) and it can do funky things. I’m just spitballin’ at this point. /shrug

10

Good idea, I thought the same, moved from 1.1.1.1 and 8.8.8.8 to 8.8.8.8 and 8.8.4.4, same results :frowning: I am at a total loss, cant duplicate it reasonably

1 Spice up
11

It’s being blocked because their certificate is not valid.

Whitelisting it should fix it, but I would contact the site owner and ask them to fix their certificate so you don’t need to.

The certificate is for ed.gov but the domain you’re trying to access is a subdomain of qipservices.com

Their certificate only covers the following domains

DNS Name=ed.gov
DNS Name=arts.ed.gov
DNS Name=ceds.communities.ed.gov
DNS Name=ceds.ed.gov
DNS Name=childstats.gov
DNS Name=ciidta.communities.ed.gov
DNS Name=collegecost.ed.gov
DNS Name=collegenavigator.gov
DNS Name=cpo.communities.ed.gov
DNS Name=crdc.communities.ed.gov
DNS Name=dashboard.ed.gov
DNS Name=datainventory.ed.gov
DNS Name=easie.communities.ed.gov
DNS Name=edfacts.communities.ed.gov
DNS Name=edlabs.ed.gov
DNS Name=eed.communities.ed.gov
DNS Name=eric.ed.gov
DNS Name=erictransfer.ies.ed.gov
DNS Name=files.eric.ed.gov
DNS Name=forum.communities.ed.gov
DNS Name=gateway.ies.ed.gov
DNS Name=icer.ies.ed.gov
DNS Name=ies.ed.gov
DNS Name=iesreview.ed.gov
DNS Name=members.nces.ed.gov
DNS Name=mfa.ies.ed.gov
DNS Name=msap.communities.ed.gov
DNS Name=nationsreportcard.ed.gov
DNS Name=nationsreportcard.gov
DNS Name=ncee.ed.gov
DNS Name=nceo.communities.ed.gov
DNS Name=ncer.ed.gov
DNS Name=nces.ed.gov
DNS Name=ncser.ed.gov
DNS Name=nlecatalog.ed.gov
DNS Name=ope.ed.gov
DNS Name=osep.communities.ed.gov
DNS Name=pn.communities.ed.gov
DNS Name=promiseneighborhoods.ed.gov
DNS Name=relintranet.ies.ed.gov
DNS Name=reltracking.ies.ed.gov
DNS Name=share.ies.ed.gov
DNS Name=slds.ed.gov
DNS Name=studentprivacy.ed.gov
DNS Name=surveys.ies.ed.gov
DNS Name=surveys.nces.ed.gov
DNS Name=surveys.ope.ed.gov
DNS Name=ties.communities.ed.gov
DNS Name=transfer.ies.ed.gov
DNS Name=vpn.ies.ed.gov
DNS Name=whatworks.ed.gov
DNS Name= www.childstats.gov
DNS Name= www.collegenavigator.gov
DNS Name= www.ies.ed.gov
DNS Name= www.nationsreportcard.gov
DNS Name= www.nces.ed.gov

1 Spice up
12

@rod-it ​ Thanks, I believe you are correct, why I can not get any information from Foritgate is problematic, it just throws up its self-signed cert, which errs, and then says web site blocked, invalid SSL cert msg would be helpful at some level on their part