Hot!5.6.0 breaks deep packet inspection

Author
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
2017/05/22 06:26:04 (permalink)
0

5.6.0 breaks deep packet inspection

Going to open a ticket on this as well but wanted to see if anyone else had this same issue. Did the upgrade from 5.4.3 to 5.6.0 and as far as I can tell nothing changed in our policies except the deep packet inspection profile was automatically renamed from 'deep-inspection' to '__upg_deep-inspection' for some reason. Applications like Skype and Outlook are no longer connecting even though exceptions are in the list and it worked before the upgrade. Also going to certain websites will display a 'webpage is not available' error quickly before refreshing and finally going to the site.
#1

17 Replies Related Threads

    Chuck
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2017/09/23 06:36:39 (permalink)
    0
    i have same issue. on 5.6.2 it sometimes works but very slow. did you ever find an answer?
    #2
    gsarica
    Bronze Member
    • Total Posts : 60
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/28 13:23:52
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2017/09/25 05:34:58 (permalink)
    0
    Sort of. I had to go through each app that wasn't working and find lists of exceptions to add on their websites. Never got an answer as to why they all worked in 5.4 without the added exceptions but not in 5.6.
    #3
    hmtay_FTNT
    Expert Member
    • Total Posts : 228
    • Scores: 49
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2017/09/25 07:17:18 (permalink)
    0
    Hello gsarica,
     
    Can you check what is the name of the CA Certificate that was imported onto your environment? If you have been upgrading your Fortigate from the older OS versions, there's some chance you are using the "Fortinet_CA_SSLProxy" Certificate - it's kept in newer FortiOS upgrades for compatibility purposes. 

    In FortiOS 5.6, the default profiles for certificate-inspection and deep-inspection uses the "Fortinet_CA_SSL" certificates. If you have been using the default profile while the Certificate you imported previously was "Fortinet_CA_SSLProxy", that would explain why deep-inspection is not working correctly and applications not working.
     
    Homing
    #4
    gsarica
    Bronze Member
    • Total Posts : 60
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/28 13:23:52
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2017/09/25 07:25:09 (permalink)
    0
    Thanks, the issue didn't have to do with the certificate being used. For example, the goto products like gotomeeting and gotoassist and such all worked fine in 5.4.2 with deep inspection enabled with only a minimum of exceptions, I think we had *.gotomeeting.com and only a couple others. Upgraded to 5.6 stopped them all from working. I had to add almost 40 exceptions found here:
     
    http://support.citrixonline.com/en_us/meeting/all_files/G2M060010
     
    Once I added all of them the apps worked again. Why they worked before the upgrade is beyond me.
    #5
    khalilysf
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/22 02:18:06
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/01/22 02:19:20 (permalink)
    0
    i have the same issue did you find any answer on the problem?
    #6
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/07/23 03:28:58 (permalink)
    0
    Hi everyone
     
    We also have this issue in our environment. Ever since we upgraded to FortiOS 5.6.x, we often experience that a website does not load at first but then it loads without a problem after a refresh. There are no certificate warnings - that is not the problem. We have experienced this on all builds of the 5.6.x branch so far. We have never had this problem on FortiOS 5.4.
     
    I opened a ticket with Fortinet Support a while ago but they were not able to assist as I simply could not provide the log files they requested. It is very challenging to capture this event as it cannot be reproduced, at least not in our environment. It seems to happen intermittently.
     
    Just wondering if anyone here ever found a solution? Has anyone experienced this issue on FortiOS 6.0.x?
     
    Thanks,
    Stefan
    #7
    rliessi
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/12 12:11:19
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/08/12 12:26:46 (permalink)
    0
    @st3fan, did you find a solution? I have the same problem, sometimes we need to refresh to load the website.
     
    Thanks,
    #8
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/08/13 00:54:17 (permalink)
    0
    Hi rliessi
     
    No, unfortunately we have not found a solution yet.
     
    Regards
    Stefan
    #9
    rliessi
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/12 12:11:19
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/08/13 03:05:54 (permalink)
    0
    Ok..   Thanks.
    #10
    muhkida
    Bronze Member
    • Total Posts : 27
    • Scores: 5
    • Reward points: 0
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/08/15 15:25:50 (permalink)
    0
    We are having an issue where previously logged applications signatures like "Microsoft.Portal", "OneDrive", "Facebook" etc are no longer being logged after upgrading from 5.4.9 to 5.6.10.  These signatures are now being reported/logged as "unknown" applications.  Does not seem to be an issue on 5.6.8 or 5.6.9 however.  We want to stay on 5.6.10 to mitigate multiple CVEs bug the application logging is concerning.
     
    Anyone else notices this on 5.6.10?
    #11
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2019/09/30 22:51:30 (permalink)
    0
    FYI, I recently updated from FortiOS 5.6.11 to FortiOS 6.0.6 and have not encountered the issue anymore. All HTTPS websites load properly now. DPI seems to work well on FortiOS 6.0.6.
    #12
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/03/04 02:03:52 (permalink)
    0
    FYI, it seems the problem started again on FortiOS 6.0.9. Websites sometimes do not load on first attempt and are only displayed after a refresh, so exactly the problem we had pre FortiOS 5.6.11. I am seeing this on FortiGates 201E, 301E and 51E. Everything was still fine on FortiOS 6.0.8 and all the other versions of the 6.0.x branch actually. Problem only started again with FortiOS 6.0.9.
     
    Is anyone else seeing this?
    #13
    kubimike
    Bronze Member
    • Total Posts : 32
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/03/04 07:06:49 (permalink)
    0
    Don't upgrade to 6.2.3, deep inspection is totally broken for me. Im using Transparent proxy. I was on version 6.0.8 and it had no issues . 
    #14
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/09/28 12:54:49 (permalink)
    0
    We are now on FortiOS 6.0.10 and are still experiencing this problem. There are intermittent delays when HTTPS websites are opened. We see this in all browsers. In e.g. Google Chrome we see "Waiting for website.com..." in the bottom left corner. Sometimes it takes 10-15 seconds before anything appears at all.
     
    Quite difficult to reproduce this but I have excluded a few common HTTPS websites from DPI (added these domains to the SSL exemption list) and the problem went away for those websites - so this definitely points to SSL/Deep Packet Inspection. We use proxy-based inspection (cannot switch to flow-based inspection due to certain security profiles that only work in proxy-mode). On the IPv4 policy we also enable Web Filter, AntiVirus and Intrusion Prevention security profiles.
     
    If anyone has any ideas how to resolve this, please let me know. I have not updated to FortiOS 6.0.11 yet but I doubt this will fix anything as this has been broken for a while. I have also been thinking about updating to FortiOS 6.2.5. Does anyone have any information whether or not this is working better on FortiOS 6.2.5?
    #15
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/11/17 04:15:07 (permalink)
    0
    FYI, just in case anyone else is experiencing this:
    The problem was caused by packet loss between FortiGate and FortiGuard. In "System - FortiGuard" we changed the "FortiGuard Filtering Protocol" from HTTPS to UDP. Using HTTPS we experienced high packet loss in almost all branches (run diagnose debug rating). Using UDP there is hardly any packet loss. The performance difference between HTTPS and UDP is incredible. Websites load instantly now. However, we would obviously like to use HTTPS, so we are still investigating.
    #16
    boneyard
    Gold Member
    • Total Posts : 364
    • Scores: 16
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/11/18 01:32:23 (permalink)
    0
    have you looked in using anycast instead or regular HTTPS?
     
    so far that seems to work better, but still not so well as UDP.
    #17
    st3fan
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/20 06:29:04
    • Status: offline
    Re: 5.6.0 breaks deep packet inspection 2020/11/18 06:26:29 (permalink)
    0
    We are still on FortiOS 6.0.10 and anycast is not supported on this build as far as I know. Pity.
    #18
    Jump to:
    © 2020 APG vNext Commercial Version 5.5