Explorer II

Question

7.0.4 - break Proxy inspection

Forum|Forum|4 years ago
January 28, 2022
21 replies
36100 views

Hello,

yesterday I upgraded FG200E to version 7.0.4.

In the previous version 7.0.1 I used proxy inspection + SSL deep inspection (certificate signed from AD). After the update (7.0.1 -> 7.0.3 -> 7.0.4) all policies in Proxy mode stopped working. Each browser returned an "err_ssl_protocol_error" error, but eg IMAPS, SMTPS worked well.
Once I've adjusted the Policy to flow (and all UTMs), everything works.

There wasn't much time to find out why it behaves like this, I'll continue this weekend.

Has anyone tried to deploy 7.0.4?

Jirka

FortiGate

Jirka1Author

Explorer II

I did some more tests:

- the problem only appears when applying an APP or IPS profile on Proxy policy
- I tried to create a new Policy - no change
- I tried to change Deep Inspection to Certification Inspection - no change
- everything is functional only with AV and WEB filtering

Jirka

Hmichel

Visitor III

Hi,

same here with 601E. Workaround was to change ssl-inspection Form Deep-inspection to certificate inspection. Weird is, that i Patched yesterday 17:00 But it stopped working today 13:00. No difference with flow of proxy based policys. No difference if i disable webfilter, AC, AV … My Only Chance was to disable Deep inspection

EDIT: deep inspection works in Flow-based Mode

Hagen

Jirka1Author

Explorer II

Hi Hagen,

that's exactly how it worked for me. After the update everything worked but over time the Proxy Policy stopped working. So certification inspection doesn't work for me either.
Last night I tried the box format installing 7.0.4 and restoring the configuration. It worked again for a while and this morning I'm getting "ERR_CONNECTION_CLOSED" from browsers (chrome, edge, firefox).
I have create ticket also on TAC and waiting for response.

Jirka

CorreyAnderson

New Member

No idea about it so far. But I would like to learn more. Thank you so much!

Kangming

Staff

Hi Jirka1,

Found a similar scene, do you match this issue environment?

=========

Traffic is blocked when AV profiled enabled in proxy inspection mode + IPSec scenario with NPU offloading enabled
Workaround: disable NPU offload in affected firewall policy

=========

Jirka1Author

Explorer II

Hi Kangming,

no, this workaround doesn't work for me.

Proxy policy paradoxically only works with my AV profile for me. If I add APP or IPS - I end up with a browser error "ERR_CONNECTION_CLOSED". And it doesn't matter if I use deep inspection or certification inspection.

Likewise, disabling offload has no effect.

Jirka

Kangming

Staff

Hi Jirka,

OK， I am reproducing this issue in my FGT401E environment, can you share with me the configuration of your proxy policy?

DVarouxis

New Member

Hello ,

same issue for my 100E on 7.0.4 . Had to change to Flow Mode to start Browsing .I had created from scratch other Utm Profiles in Proxy which are worked for a couple of hours and then the same err_ssl_protocol_error. This is very important for us who are using deep inspection and hope to release soon the fix . By moving to Flow is just a temporary solution but breaks the security . Come on Support.. you fix smt and always you break smt that it works in the last 2 years updates .