Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DavidRolfe
New Contributor II

Created on ‎03-01-2024 12:45 PM

Office365 apps hang at launch for timeout ~26 seconds then start

Greetings,

 

I have users on a internal network with Internet access blocked. We have MS Office installed on their workstations and I authorized them on a different vlan *with* internet access. (They're the per-machine perpetual licenses that ship with Dells, so should be fine forever offline.)

 

After replacing a juniper with a fortigate when the no-internet users launch Word or Excel it hangs for roughly 26 seconds and then starts normally. Before installing the fortigate this didn't happen.

 

When I make a rule for these machines that gives them access to the internet the problem goes away, so I'm fairly convinced the problem has to do with Word/Excel phoning home and some kind of keep-alive or time-out issue. The migration was fairly painless and this is one of the only quirks that have come up.

 

Any advice on how to solve this without putting these machines on the Internet?

Labels:
532
0 Kudos
1 Solution
johnathan
Staff
Staff

Created on ‎03-06-2024 12:20 PM

In my homelab, I block all connections going to AWS, Azure, Microsoft, etc. What I find is that some websites will take a very long time to load, as the browser is waiting for a timeout. If you actually set 'send-deny-packet enable' on a deny firewall policy, it will send a RST to the client instead of forcing it to timeout. What I would do in your case is make a deny policy from that device to the WAN, and then set that option. It should solve the issue.

View solution in original post

411
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎03-02-2024 04:10 AM

Hi David

Can these no-internet users resolve public FQDNs? If so, can you try point your clients to a local-only DNS server and do the test again?

AEK
AEK
491
DavidRolfe
New Contributor II
In response to AEK

Created on ‎03-04-2024 01:52 PM

Yes, they can resolve fqdns, and they only use DNS from the domain controller.

 

New wrinkle: When logged into the same machine as local admin the problem goes away (i.e., Excel launches immediately, how is the firewall implicated?), but the problem comes back when you log in as a domain user. The GPOs are the same whether a domain user is logged in or not, they are applied at the OU. Problem persists when a machine is moved to an empty test OU and logged in on domain. I'm totally stumped.

447
0 Kudos
AEK
SuperUser
SuperUser
In response to DavidRolfe

Created on ‎03-04-2024 10:14 PM

Can you try disconnecting the PC from the network and do the test again?

AEK
AEK
437
DavidRolfe
New Contributor II
In response to AEK

Created on ‎03-06-2024 11:32 AM

Sorry, I've been putting out other fires.

 

Current status is this, the local admin was a red-herring. On some boxes local admin doesn't have the problem and on others it does.

 

Disconnecting the PC from the network does solve it!! But I guess we already know it's some kind of search or timeout across the network that causes the problem.

417
0 Kudos
AEK
SuperUser
SuperUser
In response to DavidRolfe

Created on ‎03-06-2024 01:32 PM

Good.. that's why I suggested to configure you non-internet client with a DNS server that doesn't resolve internet addresses.

If you can't do that then as it is a Microsoft related issue, not FortiGate related issue, I'm pretty sure it is a known issue and should have some workaround available in Microsoft forums.

AEK
AEK
402
johnathan
Staff
Staff

Created on ‎03-06-2024 12:20 PM

In my homelab, I block all connections going to AWS, Azure, Microsoft, etc. What I find is that some websites will take a very long time to load, as the browser is waiting for a timeout. If you actually set 'send-deny-packet enable' on a deny firewall policy, it will send a RST to the client instead of forcing it to timeout. What I would do in your case is make a deny policy from that device to the WAN, and then set that option. It should solve the issue.

412
DavidRolfe
New Contributor II
In response to johnathan

Created on ‎03-07-2024 05:32 AM

Thanks, this is what I was expecting, and presume the version of this rule on the Juniper was doing that and the migrated rule on the Fortinet isn't. I'll look in that direction.

 

Thanks again.

371
0 Kudos
DavidRolfe
New Contributor II
In response to DavidRolfe

Created on ‎03-07-2024 06:33 AM

Confirmed this as the solution, thanks again. The default deny-all policy we were letting these guys run into doesn't let you set the send-deny-packet. I got rid of the ISDB deny rule for Office 365 and made a new blanket deny-internet rule with send-deny-packet and it's working as expected.

 

Is it not the default because it's bad practice? If it's OK pass it along to the guys maintaining the migration tool that Juniper SRX default-deny resets connections but Fortinet will need a rule to mimic that.

358
0 Kudos
johnathan
Staff
Staff
In response to DavidRolfe

Created on ‎03-07-2024 07:02 AM

Ehhhh, I mean it is technically granting more visibility into what is and isn't specifically blocked. Timing out as default is the safer option, as it does not confirm a specific resource exists. Glad to see it solved the issue in our case.

353
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.