- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL Deep Inspection broken?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Deep Inspection broken?
Hello Community,
I have the following constellation:
I have Fortigate that connects to the internet via SDWAN with two or ore isp and with Health Check enabled. Works fine so far.
I have a policy that allows clients coming from a subnet connected to the FGT to connect to the internet.
It is not limited by shaper or services but it does have utm features enabled: webfilter, urlfilter and ssl deep inspection (for to filtr https pages). This also used to work fine.
Until I upgraded to 5.6.11 or higher :\
from 5.6.11 on ssl deep inspection stopped working. It is still enabled but users keep getting only SSL_PROTOCOL_ERROR when they try to acces https pages.
I opened a ticket with TAC and send them my config. They said config is fine and they cannot reproduce it. Also I did a test in a non productive subnet on one Site and failed to reproduce the issue too. It worked fine here.
But as I turned SSL deep inspection back on for the productive subnets the clients again encountered the above issue :\
Does anyone have any idea or advice about what could cause this?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you do your tests with the same client(s)? as they seem to stand out here. do they still trust the correct CA certificate? is there something else on those clients (security software that checks for SSL tampering) or in the network towards to FortiGate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm yes clients know our CA and trust it.
I tested on a vm in the same subnet (but different ip range within that subnet) withoout problems.
The only thing I still a not sure atm is if on that vm there was our antivirus suite deployed.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok I've resteded this here on my client that has the very same av suite installed. I encountered no problems with deep inspection here s far. So seems not to be blamed on the av suite.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so say your clients are in subnet 10.10.0.0/16
you have a firewall policy 10.10.0.0/16 to internet with SSL deep / full inspection
these clients have an inspection problem
if you setup a VM ware in the same 10.10.0.0/16 then it works fine?
i really would recheck those clients then, because if the above is the case then the difference is in the clients, not in the FortiGate or its config.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To stay with your example, boneyard:
clients are in 10.10.0.0/24
there is a policy 10.10.0.0/24 to internet via sd-wan with webfilter and SSL Deep Inspection enabled.
these clients have the issue I mentioned.
For testing I now used my client here (as windows and av is the same). Let's say my client has 10.10.0.1.
So I created a policy 10.10.0.1 to internet via sd-wan with webfilter and SSL Deep Inspetion enabled. I placed this before the above policy to have it match first (as policies are first come first serve).
On my Client everything worked fine. I didn't encounter the above issue with Deep Inspection.
I also did the same at annother side before just wth a vm instead of a physical client. Thus the vm has the same setup, it is just a virtual client for testing purposes. I did not encounter the issue there too.
What now came to my mind is that this could be a 5.6.11 only issue since in the meantime I've upgraded some FGT to 6.0.7 (or now to 6.0.8). Among those is ours here where my client is connected.
So could be that this is gone in 6.x probably. I might have to test this again when I've finished updating all FGT and the adom in Fortimanager. Before that I cannot roll out anything centrally.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Limited Network 180 Views
- Deep inspection with streaming media 172 Views
- Setting SSL/SSH inspection profile causes most... 247 Views
- Issues with Firewall Policies for RDP... 453 Views
- FortiOS 7.4.3 - 112 Cloud Applications... 225 Views
Labels
-
FortiGate
6,593 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.