Description
This article describes that the TLS active probe needs to initiate connections from the FortiGate itself. The few configurations that could trigger the probing requests itself, such as the SSL profile, which requires SSL exemption or certificate verification, or UTM profile web filter, or application control enabled.
It is essential for the functionality of Application Control and Webfilter which must apply to verified hostname (SNI) from TLS ClientHello.
The TLS timeout is 5 seconds and cannot be modified.
In cases when the TLS probe fails, the loading time of the web page can be significantly increased (more than 5 seconds).
The TLS probe can fail due to bad routing in the case of Transparent VDOMs, SDWAN setup, or when the secondary IP address is used for the Internet.
Scope
Slow webpage load when web filter profile is enabled under the policy configuration. For v6.2.6 and above, v6.4.4 and above.
Solution
CLI commands:
diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable
It is recommended to add a filter on the above command to capture the debug output specific to the affected user. Running the command without the filter may result in an outage.
diag ips filter set 'src <Source PC>' # Change <Source PC> to the source IP address that is use for testing.
Open Developer tools on the browser and access the site that is having slowness. Select 'Duration' to sort it with the highest duration. Select the first entry and select Timings. The example below is from Firefox. TLS Setup is showing around 5 seconds.
Debug output that shows TLS timeout:
eng_debug_log: Probe failed: unable to connect
The TLS active probe feature cannot be disabled.
In such a scenario, the user can manually configure the outgoing interface, source IP, and VDOM for the IPS TLS active probe connection.
CLI Commands.
config ips global
config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> <----- When method 'specify'.
set vdom <vdom name> <----- When method 'sdwan' or 'specify'.
set source-ip <source_ipv4> <----- When method 'sdwan' or 'specify'.
set source-ip6 <source_ipv6> <----- When method 'sdwan' or 'specify'.
end
end
set interface-select-method: Specify how to select an outgoing interface to reach the server.
auto <----- Set outgoing interface automatically.
sdwan <----- Set outgoing interface by SD-WAN or policy routing rules.
specify <----- Set outgoing interface manually.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.