Hot!Web Filter not working correctly when Site-to-Site VPN is used

Author
MBR
Bronze Member
  • Total Posts : 55
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/06/20 04:13:26
  • Status: offline
2018/11/29 00:13:42 (permalink)
0

Web Filter not working correctly when Site-to-Site VPN is used

I ran into an issue that a working web filter is not working anymore on several sites when the connection between two sites is switched to IPSEC VPN instead of a native MPLS link.
So
Working situation:
Site B -> MPLS Link -> Site A -> Policy with Web Filter -> Internet
Non working situation:
Site B -> IPSEC VPN -> Site A -> Policy with Web Filter -> Internet
 
As soon as i disable the web filter in the IPSEC config problem sites are working properly. When routed over VPN these sites stop working.
 
Anyone any clue what can cause this issue?
 
Both Fortigates are running on FortiOS 5.6.5

- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
#1

4 Replies Related Threads

    Gerald GBO
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/29 08:35:19
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2018/11/29 08:45:12 (permalink)
    0
    Hi,
     
    I have exactly the same issue between a Fortigate 100D (V5.6.3) and Fortigate 61E (v5.6.4 build1575 (GA).
    An IPSec VPN Tunnel is established between the 2 Fortigate, and all the traffic including web browsing pass through it.
     
    All access rules are managed on the 100D in our Datacenter. Webfiltering is enabled for traffic from non vpn sites to internet and everything works fine.
    On the zone vpn sites to internet, as soon as I enable Webfilter, it is impossible to reach a website.
     
    Does anyone have a clue ?
     
    Thanks a lot.
    #2
    MBR
    Bronze Member
    • Total Posts : 55
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/06/20 04:13:26
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2018/11/29 11:39:11 (permalink)
    0
    Hi Gerald,
    I have some info for you after some extensive troubleshooting today.
    You can workaround this problem when you change the web filter from proxy based to flow based scanning.
    So probably you can use that as workaround as we did.
    Fortinet is currently researching why this issue arrises when using proxy based web filters in combination with ipsec vpn backhauls for internet traffic.
     
    I will inform you when i get feedback from Fortinet support.
    Please let me know if this flow based workaround is workable for you.
     
    If you would like to open a ticket at Fortinet you may refer to my case number :  #3028085

    - MBR -
    NSE1, NSE2, NSE3
    FGT60D/E, FWF60D/E, FGT200D
    #3
    aldolopez
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/27 08:55:22
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2018/12/31 10:53:07 (permalink)
    0
    all Internet or specified site? There are match with your policy?
     
    #4
    MBR
    Bronze Member
    • Total Posts : 55
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/06/20 04:13:26
    • Status: offline
    Re: Web Filter not working correctly when Site-to-Site VPN is used 2019/01/07 02:25:48 (permalink)
    0
    A lot of sites don't work properly. Some simple sites work.
    Fortinet has researched this problem and found out this is an issue with the filter in combination with fragmented packets. For now i have decreased the MTU size to 1300 after which the filter works properly

    - MBR -
    NSE1, NSE2, NSE3
    FGT60D/E, FWF60D/E, FGT200D
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5