Skip to main content
sw2090
SuperUser
sw2090
SuperUser
December 6, 2019
Question

SSL Deep Inspection broken?

  • December 6, 2019
  • 1 reply
  • 4191 views

Hello Community,

 

I have the following constellation:

 

I have Fortigate that connects to the internet via SDWAN with two or ore isp and with Health Check enabled. Works fine so far.

I have a policy that allows clients coming from a subnet connected to the FGT to connect to the internet.

It is not limited by shaper or services but it does have utm features enabled: webfilter, urlfilter and ssl deep inspection (for to filtr https pages). This also used to work fine.

 

Until I upgraded to 5.6.11 or higher :\

from 5.6.11 on ssl deep inspection stopped working. It is still enabled but users keep getting only SSL_PROTOCOL_ERROR when they try to acces https pages.

I opened a ticket with TAC and send them my config. They said config is fine and they cannot reproduce it. Also I did a test in a non productive subnet on one Site and failed to reproduce the issue too. It worked fine here.

 

But as I turned SSL deep inspection back on for the productive subnets the clients again encountered the above issue :\

 

Does anyone have any idea or advice about what could cause this?

 

    1 reply

    boneyard
    boneyard
    Valued Contributor
    December 7, 2019

    did you do your tests with the same client(s)? as they seem to stand out here. do they still trust the correct CA certificate? is there something else on those clients (security software that checks for SSL tampering) or in the network towards to FortiGate?

    sw2090
    SuperUser
    sw2090Author
    SuperUser
    December 9, 2019

    hm yes clients know our CA and trust it.

    I tested on a vm in the same subnet (but different ip range within that subnet) withoout problems.

    The only thing I still a not sure atm is if on that vm there was our antivirus suite deployed.

    sw2090
    SuperUser
    sw2090Author
    SuperUser
    December 9, 2019

    ok I've resteded this here on my client that has the very same av suite installed. I encountered no problems with deep inspection here s far. So seems not to be blamed on the av suite.

     

    Terms & ConditionsAccessibility statement