It didn't make sense to me, but the morning after I installed an MX-64 with advanced security, the client site was unable to get to Facebook. It seems to be Geoblocking doing it because once I removed the rule, the users were able to load FB in their browsers.
I had the layer 7 rule configured such that only traffic from the US and Canada was allowed (client site in the US).
I pinged and traced to Facebook from the client site, and it was a few hops away in a DFW data center (at least the farm my client network hits). I could ping it, traceroute to it, but not connect on port 80 or 443 to it.
Any idea what I am not seeing?
Take a closer look at the traffic (packet capture) when you load a FB page. You will see it loads content from dozens if not hundreds of sites and many of them may be outside the US.
Or it is also possible the geolocation database has some incorrect information too. Either way, if you try to lock your network down to US and Canada traffic only you will need to be prepared to start whitelisting things.
And when you block stuff with those layer 7 rules it makes it hard to diagnose what to whitelist because the blocks don't show up in the event logs.
Going to verify with packet captures, but adding Ireland back in did the trick.
I have (on other sites with less restrictive lists) had to add Singapore, Australia, and the UK for all our agents to show up in the WebrootPortal.
A modern web page is made of of lots and lots of components. Many of these components are from third parties. Simply testing access to facebook.com is not sufficient.
My guess is something that the Facebook page is dependent on is falling into the geo block.