Thanks for your response. 

I wasn't aware wildcard masks don't work in FQDN objects. I've also tested with different variations, including "logmein.com" without success.

Unfortunately I'm unable to enable Web Filtering at this time, as I'm waiting for the Contract Code for our support bundle from our re-seller. Once I have this I'll give this a try.

I'm still wondering why this setup isn't working, as it seems like a very basic rule. I'm sure I'm missing something simple, but I've had no luck finding it so far. We use a separate proxy server, so upon implementation we want to allow only HTTP/S traffic to originate only from the proxy server, and application traffic with a specific destination that will bypass the proxy server (including LogMeIn).

Again any further assistance would be greatly appreciated.

Further testing below:

Test 0 

Policy Rule allowing all traffic to FQDN object logmein.com

@Mikelar

An expired contract would only affect the FortiGuard web filter service, the actual URL filter stuff should still work -- all you need to do is uncheck the FortiGuard Categories option in the Web Filter Profile.

Your screenshots are not showing the drilled-down/actual log info for the events...which would be helpful in determining the reason for the logged event. (e.g. blocking.)

This LogMeIn faq seems to imply white-listing a set of URLs (used with the service) is more suited than trying to "unblock" via IP addresses.  In their words, "Our IP ranges change regularly. For best results, please whitelist the URLs shown above."

Thanks again for your assistance, I appreciate the help.

@Dave

The domain names from LogMeIn are also what I'm going from. I've got a separate FQDN address object for each of their domains, (in 'domain.com' format), grouped under a group object named 'LogMeIn_Group'. I do have their IP list, but I'd prefer to use their FQDN's specifically for the reason mentioned on their site (they change regularly).

@emnoc

I initially tried using diag debug flow, but I wasn't getting much more detail than the log viewer. I've added some outputs from the latest round of testing.

Test 4

Personally, I'd would use a wildcard url filter (not FortiGuard web services) for what you are trying to accomplish.  Since your dilldown log shows the client trying to connect  via HTTP/HTTPS, I don't see how it wouldn't work. (Of course, I am assuming actual web traffic and not a port 80/443 data "tunnel".)

Regarding IP lookups for FQDN addresses -- I too was wondering about this since most of our clients are in remote areas with very slow satellite linkups.   Never found an actual official answer (of course I merely did a curiously check). I just ended up playing around with the cache-ttl values (from the CLI) for key FQDNs.

A side note, you could try moving your DNS firewall policy to the top of the firewall list.

Thanks Dave, again I appreciate your assistance.

After further testing and a big more digging I found a response here that looks pretty accurate.

 

FQDN Firewall Address Object simply looks up the FQDN and substitutes the IPs as the object. Any time a client gets a different IP back it will fall outside the policy. Any time the client tries to go to one of the other many addresses owned by servers used by facebook or youtube, that don't fall within the IPs resolved by www.facebook.com, it will fall outside the policy. FQDN address objects are NOT intended as a webfilter and you cannot specify *.facebook.com as an FQDN Address object. How do you do an nslookup for that? Answer is you can't. 

FQDN address objects are great for permitting or denying access to dynamic DNS IP's or servers that change IP from time to time. For example permit RDP to rdpserver.mycompany.com or VPN from remoteoffice.dyndns.com. They are NOT for complex websites.  Fortinet provides three methods to do that correctly:  1. URL Filter  2. Webfilter (catgories)  3. Application Control. 

I think I'll just need to re-evaluate the approach I'm taking, and look to focus more on Application Control & Web Filtering rather than static Policy rules. While the problem isn't resolved, hopefully this thread can at least help others that come across the same issue.

Cheers.

Just 4 Info: Fortinet TAC told me upon a ticket that you cannot use wildcards in webfilter rating overrides so I could imagine you cannot also use them in objects.

Also keep in mind: if you manage your FGT with a FMG there is a known bug in FMG v5.4 that affects wildcard url filter entries in their order!