search cancel

Unable to access Fortinet sites when WSS Agent is active

book

Article ID: 229581

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS agent installed

Users cannot access sub domains under www.fortiguard.com or www.fortinet.com sites. Example sub domains: (https://metal.fortiguard.com, https://docs.fortinet.com) - browser simply times out and returns standard connectivity error.

Same users can get to any other sites they are permitted to go to without problems

Tried adding domains to SSL interception exception without any change in behaviour

Environment

Client Firewall Service (CFS) license active

WSS agent

Cause

Client Firewall Service enabled and blocking access to all Fortinet domains

Resolution

Bypass fortiguard.com and fortinet.com domains when CFS license enabled

Additional Information

PCAPs showed requests for these domains coming into WSS environment but not reaching the WSS Proxy

Identified that the block appeared on the CFS nodes - can see request come in, but not go out

CFS rules only allow requests to these domains if they originate from CFS server and not routed through

Updated CFS devices in 2022 will not have this limitation.