🤔 当Fortigate设备出现周期性阻塞网络流量问题时，应采用排除法进行排查，逐个禁用组件直至问题消失。作者发现问题在于URL过滤导致用户无法访问Facebook，进而导致网络带宽被占用。

💡 针对此类问题，使用黑洞路由比URL过滤更有效。黑洞路由可以将特定IP地址范围的流量直接丢弃，从而避免用户访问特定网站，例如Facebook。

💻 文章详细介绍了在Fortigate FortiOS4及以上版本中配置黑洞路由的步骤，包括启用黑洞路由功能、设置目标IP地址范围等。同时，还提供了验证方法，以确保黑洞路由配置生效。

👣 作者通过实际案例和详细的步骤，为读者提供了解决Fortigate网络流量阻塞问题的有效方法，并分享了黑洞路由的配置技巧，为网络管理员提供了宝贵的经验。

Many times there is more than one solution to the problem, and the most obvious is not the best one. Ireminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic, you know this not-saying-much system alert "..has reached connection limit" and then no traffic goes from LAN to WAN.Clearly being a resource starvation issue by users you may never know for sure what causes this . The only way to pinpoint the misbehaving component is by elimination - disabling one by one until problem disappears. So for thisparticular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once thisdisabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) thiswebsite. An internal fair use policy issue ? - yes of course, but the only way to implement the policywas by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing wouldbe the better one I thought - but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IPrange ) in the WAN facing Cisco router.
In the Fortigate FortiOS 4 and newer you can configure blackhole routing with no hassle:

FG100 # config router staticFG100 (static) # edit 5FG100 (5) # set blackhole ?disable    disable settingenable     enable settingFG100 (5) # set blackhole enableFG100 (5) # set dst 69.63.176.0/20FG100 (5) # end

Verify:

FG100 # show router static  config router static      edit 5        set blackhole enable        set dst 69.63.176.0 255.255.240.0    nextend

From station in LAN:
# ping 69.63.184.142

PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.  From 10.99.99.254 icmp_seq=1 Destination Net Unreachable  From 10.99.99.254 icmp_seq=2 Destination Net Unreachable  

Facebook IP range:
whois 69.63.176.140

[Querying whois.arin.net][whois.arin.net]OrgName:    Facebook, Inc.OrgID:      THEFA-3Address:    156 University Ave, 3rd floorCity:       Palo AltoStateProv:  CAPostalCode: 94301Country:    USNetRange:   69.63.176.0 - 69.63.191.255CIDR:       69.63.176.0/20  

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.