Skip to main content
MBR
MBR
New Member
November 29, 2018
Question

Web Filter not working correctly when Site-to-Site VPN is used

  • November 29, 2018
  • 2 replies
  • 7238 views

I ran into an issue that a working web filter is not working anymore on several sites when the connection between two sites is switched to IPSEC VPN instead of a native MPLS link.

So

Working situation:

Site B -> MPLS Link -> Site A -> Policy with Web Filter -> Internet

Non working situation:

Site B -> IPSEC VPN -> Site A -> Policy with Web Filter -> Internet

 

As soon as i disable the web filter in the IPSEC config problem sites are working properly. When routed over VPN these sites stop working.

 

Anyone any clue what can cause this issue?

 

Both Fortigates are running on FortiOS 5.6.5

    2 replies

    Gerald_GBO
    Gerald_GBO
    New Member
    November 29, 2018

    Hi,

     

    I have exactly the same issue between a Fortigate 100D (V5.6.3) and Fortigate 61E (v5.6.4 build1575 (GA).

    An IPSec VPN Tunnel is established between the 2 Fortigate, and all the traffic including web browsing pass through it.

     

    All access rules are managed on the 100D in our Datacenter. Webfiltering is enabled for traffic from non vpn sites to internet and everything works fine.

    On the zone vpn sites to internet, as soon as I enable Webfilter, it is impossible to reach a website.

     

    Does anyone have a clue ?

     

    Thanks a lot.

    MBR
    MBRAuthor
    New Member
    November 29, 2018

    Hi Gerald,

    I have some info for you after some extensive troubleshooting today.

    You can workaround this problem when you change the web filter from proxy based to flow based scanning.

    So probably you can use that as workaround as we did.

    Fortinet is currently researching why this issue arrises when using proxy based web filters in combination with ipsec vpn backhauls for internet traffic.

     

    I will inform you when i get feedback from Fortinet support.

    Please let me know if this flow based workaround is workable for you.

     

    If you would like to open a ticket at Fortinet you may refer to my case number :  #3028085

    aldolopez
    aldolopez
    New Member
    December 31, 2018

    all Internet or specified site? There are match with your policy?

     

    MBR
    MBRAuthor
    New Member
    January 7, 2019

    A lot of sites don't work properly. Some simple sites work.

    Fortinet has researched this problem and found out this is an issue with the filter in combination with fragmented packets. For now i have decreased the MTU size to 1300 after which the filter works properly

    Terms & ConditionsAccessibility statement