Back to All Scenarios
PASSEDvendor / fortinet_utm_block
FortiGate UTM Blocking Critical SaaS Application
A FortiGuard web filter update incorrectly categorizes a critical SaaS application as malware. All employee access to the application is blocked by the UTM policy.
Pattern
FORTINET_EVENT
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | FORTINET_EVENT | FORTINET_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 20 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
FortiGate 200F with UTM bundle. Web filter profile in strict mode. FortiGuard category update pushed at 3AM. 300 employees dependent on the SaaS app.
Injected Error Messages (2)
FortiGate UTM block — web filter denying access to company.my.salesforce.com, FortiGuard category: malware (false positive), utm block rate: 100%, Fortinet web filter policy violation
Fortinet UTM block spike detected — FortiGuard web filter blocking 300+ requests/min to salesforce.com, IPS alert on category mismatch, fortigate policy action: deny
Neural Engine Root Cause Analysis
The Salesforce CRM application is inaccessible due to FortiGate UTM firewall blocking access to company.my.salesforce.com with a 100% block rate. The FortiGuard web filter has incorrectly categorized the legitimate Salesforce domain as malware, creating a false positive that prevents all users from accessing the critical business application. The presence of 8 correlated incidents and historical pattern matches indicate this is a recurring issue with the Fortinet security appliance's web filtering configuration.
Remediation Plan
1. Immediately contact network/security team to whitelist company.my.salesforce.com in FortiGate web filter policy 2. Override the malware categorization for this specific domain in FortiGuard settings 3. Review and update web filtering policies to prevent future false positives for business-critical SaaS applications 4. Consider implementing application-specific bypass rules for essential business services 5. Monitor FortiGuard category updates and establish a process for quick remediation of false positives
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjd7kv00faobqeppfvnhsx