FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198382


The TLS active probe needs to initiate connections from the FortiGate itself.
It's just a regular TLS client which connects to the server and retrieves the server information.

It's essential for the functionality of Application Control and Webfilter which must apply to verified hostname (SNI) from TLS ClientHello.

The TLS timeout is 5 seconds.

In cases when the TLS probe fails, the loading time of the Webpage can be significantly increased (more than 5 seconds).

The TLS probe can fail due to bad routing in the case of Transparent VDOMs, SDWAN setup, or when the secondary IP address is used for the Internet.




Slow webpage load when web filter profile is enabled under the policy configuration.

For version 6.2.6 and above, version 6.4.4 and above.




CLI commands:


diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable


Debug output that shows TLS timeout:

eng_debug_log: Probe failed: unable to connect

In such a scenarios, the Customer can manually configure the outgoing interface, source IP, and vdom for the
IPS TLS active probe connection.

CLI Commands.

# config ips global
# config tls-active-probe
    set interface-selection-method <auto|sdwan|specify>
    set interface <intf name>            <----- When method 'specify'
    set vdom <vdom name>                 <----- When method 'sdwan' or 'specify'
    set source-ip <source_ipv4>          <----- When method 'sdwan' or 'specify'
    set source-ip6 <source_ipv6>         <----- When method 'sdwan' or 'specify'

set interface-select-method: Specify how to select an outgoing interface to reach the server.
auto                                                                   <----- Set outgoing interface automatically.
sdwan                                                                 <----- Set outgoing interface by SD-WAN or policy routing rules.
specify                                                                <----- Set outgoing interface manually.