Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BBoozer
New Contributor

SSL inspection cause IE to give TLS errors

Our locations are locked down by their FortiGates fairly rigidly (FortiOS 5.0.14). We have one site that has recently been being blocked that is regularly used (www.concursolutions.com). This has always been part of our web filter whitelist. We are finding that It can only be gotten through the firewall when SSL inspection is disabled. I have tried adding policies before the primary internet traffic policy point to the site as well as its CRL location, and it DNS records IP address for both default and www (point to Microsoft). None of this works. TLS is already all checked by default at all locations in IE (no other browser can be installed, nor do they have permission to do so). Since it is below 5.2, there is no way to add SSL inspection exemptions. Any thoughts on how to achieve this would be greatly appreciated. 

5 REPLIES 5
emnoc
Esteemed Contributor III

Did you  run  diag debug flow? Why are you  on 5.0.14?  Can you get into 5.2.12?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
BBoozer
New Contributor

No, I did not, and upgrading 350 firewalls for a web page is out of the question. What could be garnered by this?
emnoc
Esteemed Contributor III

 

No, I did not, and upgrading 350 firewalls for a web page is out of the question. What could be garnered by this?

 

 

Staying current  within FortiOS,  for one.

Using a  version that more new and current,  for two.

Using a version of firmware that still under development,  for three.

Using a version of firmware that has made numerous fixes & in regards to ssl-inspection,   for four.

I'm sure v5.0.x train is  End or life and|or develpoment, for  my fifth and last reason

 

Do I need to list more reasons? Since it this one, I would start with a  diag debug flow and see what the output shows

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
BBoozer
New Contributor

I was referring to running the command. As stated, upgrading at this juncture is a moot point.

emnoc
Esteemed Contributor III

The cli diag debug flow will show possible issues that you can't see from just  a enduser error. Since v5.0.14 is old , I would look at and analyze any diag debug flow output

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors