Description
The TLS active probe needs to initiate connections from the FortiGate itself.
It's just a regular TLS client that connects to the server and retrieves the server information.
It's essential for the functionality of Application Control and Webfilter which must apply to verified hostname (SNI) from TLS ClientHello.
The TLS timeout is 5 seconds and cannot be modified.
In cases when the TLS probe fails, the loading time of the Webpage can be significantly increased (more than 5 seconds).
The TLS probe can fail due to bad routing in the case of Transparent VDOMs, SDWAN setup, or when the secondary IP address is used for the Internet.
Scope
Slow webpage load when web filter profile is enabled under the policy configuration.
For version 6.2.6 and above, version 6.4.4 and above.
Troubleshooting:
CLI commands:
diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable
Debug output that shows TLS timeout:
eng_debug_log: Probe failed: unable to connect
Solution
The TLS active probe feature cannot be disabled.
In such a scenario, the user can manually configure the outgoing interface, source IP, and VDOM for the IPS TLS active probe connection.
CLI Commands.
config ips global
config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> <----- When method 'specify'
set vdom <vdom name> <----- When method 'sdwan' or 'specify'
set source-ip <source_ipv4> <----- When method 'sdwan' or 'specify'
set source-ip6 <source_ipv6> <----- When method 'sdwan' or 'specify'
end
end
set interface-select-method: Specify how to select an outgoing interface to reach the server.
auto <----- Set outgoing interface automatically.
sdwan <----- Set outgoing interface by SD-WAN or policy routing rules.
specify <----- Set outgoing interface manually.
