5.6.0 breaks deep packet inspection

Forum|Forum|8 years ago
May 22, 2017
1 reply
21083 views

Going to open a ticket on this as well but wanted to see if anyone else had this same issue. Did the upgrade from 5.4.3 to 5.6.0 and as far as I can tell nothing changed in our policies except the deep packet inspection profile was automatically renamed from 'deep-inspection' to '__upg_deep-inspection' for some reason. Applications like Skype and Outlook are no longer connecting even though exceptions are in the list and it worked before the upgrade. Also going to certain websites will display a 'webpage is not available' error quickly before refreshing and finally going to the site.

Chuck

New Member

i have same issue. on 5.6.2 it sometimes works but very slow. did you ever find an answer?

gsaricaAuthor

New Member

Sort of. I had to go through each app that wasn't working and find lists of exceptions to add on their websites. Never got an answer as to why they all worked in 5.4 without the added exceptions but not in 5.6.

hmtay_FTNT

Staff

Hello gsarica,

Can you check what is the name of the CA Certificate that was imported onto your environment? If you have been upgrading your Fortigate from the older OS versions, there's some chance you are using the "Fortinet_CA_SSLProxy" Certificate - it's kept in newer FortiOS upgrades for compatibility purposes. In FortiOS 5.6, the default profiles for certificate-inspection and deep-inspection uses the "Fortinet_CA_SSL" certificates. If you have been using the default profile while the Certificate you imported previously was "Fortinet_CA_SSLProxy", that would explain why deep-inspection is not working correctly and applications not working.

Homing

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded