Hot!Web Filter not working correctly when Site-to-Site VPN is used

Author
MBR
Bronze Member
  • Total Posts : 53
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/06/20 04:13:26
  • Status: offline
2018/11/29 00:13:42 (permalink)
0

Web Filter not working correctly when Site-to-Site VPN is used

I ran into an issue that a working web filter is not working anymore on several sites when the connection between two sites is switched to IPSEC VPN instead of a native MPLS link.
So
Working situation:
Site B -> MPLS Link -> Site A -> Policy with Web Filter -> Internet
Non working situation:
Site B -> IPSEC VPN -> Site A -> Policy with Web Filter -> Internet
 
As soon as i disable the web filter in the IPSEC config problem sites are working properly. When routed over VPN these sites stop working.
 
Anyone any clue what can cause this issue?
 
Both Fortigates are running on FortiOS 5.6.5

- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
#1

2 Replies Related Threads

    Gerald GBO
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/29 08:35:19
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2018/11/29 08:45:12 (permalink)
    0
    Hi,
     
    I have exactly the same issue between a Fortigate 100D (V5.6.3) and Fortigate 61E (v5.6.4 build1575 (GA).
    An IPSec VPN Tunnel is established between the 2 Fortigate, and all the traffic including web browsing pass through it.
     
    All access rules are managed on the 100D in our Datacenter. Webfiltering is enabled for traffic from non vpn sites to internet and everything works fine.
    On the zone vpn sites to internet, as soon as I enable Webfilter, it is impossible to reach a website.
     
    Does anyone have a clue ?
     
    Thanks a lot.
    #2
    MBR
    Bronze Member
    • Total Posts : 53
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/06/20 04:13:26
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2018/11/29 11:39:11 (permalink)
    0
    Hi Gerald,
    I have some info for you after some extensive troubleshooting today.
    You can workaround this problem when you change the web filter from proxy based to flow based scanning.
    So probably you can use that as workaround as we did.
    Fortinet is currently researching why this issue arrises when using proxy based web filters in combination with ipsec vpn backhauls for internet traffic.
     
    I will inform you when i get feedback from Fortinet support.
    Please let me know if this flow based workaround is workable for you.
     
    If you would like to open a ticket at Fortinet you may refer to my case number :  #3028085

    - MBR -
    NSE1, NSE2, NSE3
    FGT60D/E, FWF60D/E, FGT200D
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5