Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MBR
New Contributor III

Web Filter not working correctly when Site-to-Site VPN is used

I ran into an issue that a working web filter is not working anymore on several sites when the connection between two sites is switched to IPSEC VPN instead of a native MPLS link.

So

Working situation:

Site B -> MPLS Link -> Site A -> Policy with Web Filter -> Internet

Non working situation:

Site B -> IPSEC VPN -> Site A -> Policy with Web Filter -> Internet

 

As soon as i disable the web filter in the IPSEC config problem sites are working properly. When routed over VPN these sites stop working.

 

Anyone any clue what can cause this issue?

 

Both Fortigates are running on FortiOS 5.6.5

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
4 REPLIES 4
Gerald_GBO
New Contributor

Hi,

 

I have exactly the same issue between a Fortigate 100D (V5.6.3) and Fortigate 61E (v5.6.4 build1575 (GA).

An IPSec VPN Tunnel is established between the 2 Fortigate, and all the traffic including web browsing pass through it.

 

All access rules are managed on the 100D in our Datacenter. Webfiltering is enabled for traffic from non vpn sites to internet and everything works fine.

On the zone vpn sites to internet, as soon as I enable Webfilter, it is impossible to reach a website.

 

Does anyone have a clue ?

 

Thanks a lot.

MBR
New Contributor III

Hi Gerald,

I have some info for you after some extensive troubleshooting today.

You can workaround this problem when you change the web filter from proxy based to flow based scanning.

So probably you can use that as workaround as we did.

Fortinet is currently researching why this issue arrises when using proxy based web filters in combination with ipsec vpn backhauls for internet traffic.

 

I will inform you when i get feedback from Fortinet support.

Please let me know if this flow based workaround is workable for you.

 

If you would like to open a ticket at Fortinet you may refer to my case number :  #3028085

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
aldolopez
New Contributor II

all Internet or specified site? There are match with your policy?

 

MBR
New Contributor III

A lot of sites don't work properly. Some simple sites work.

Fortinet has researched this problem and found out this is an issue with the filter in combination with fragmented packets. For now i have decreased the MTU size to 1300 after which the filter works properly

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
Labels
Top Kudoed Authors