WSS agent installed

Users cannot access sub domains under www.fortiguard.com or www.fortinet.com sites. Example sub domains: (https://metal.fortiguard.com, https://docs.fortinet.com) - browser simply times out and returns standard connectivity error.

Same users can get to any other sites they are permitted to go to without problems

Tried adding domains to SSL interception exception without any change in behaviour

Client Firewall Service (CFS) license active

WSS agent

Client Firewall Service enabled and blocking access to all Fortinet domains

Bypass fortiguard.com and fortinet.com domains when CFS license enabled

PCAPs showed requests for these domains coming into WSS environment but not reaching the WSS Proxy

Identified that the block appeared on the CFS nodes - can see request come in, but not go out

CFS rules only allow requests to these domains if they originate from CFS server and not routed through

Updated CFS devices in 2022 will not have this limitation.