Description
This article describes that the TLS active probe needs to initiate connections from the FortiGate itself. The few configurations that could trigger the probing requests itself, such as the SSL profile, which requires SSL exemption or certificate verification, or UTM profile web filter, or application control enabled. It is essential for the functionality of Application Control and Webfilter, which must apply to verified hostname (SNI) from TLS ClientHello.
The TLS timeout is 5 seconds and cannot be modified.
In cases when the TLS probe fails, the loading time of the web page can be significantly increased (more than 5 seconds). The TLS probe can fail due to bad routing in the case of Transparent VDOMs, SD-WAN setup or when the secondary IP address is used for the Internet.
Scope
Slow webpage load when web filter profile is enabled under the policy configuration. For v6.2.6 and above, v6.4.4 and above.
Solution
IPS Engine daemon is processing this traffic when the policy is in flow mode (by default). It is recommended to start with IPS debugging to identify slow page load when Web filter is enabled problem.
IPS Engine debug commands might generate too many logs depending on the inspected session counters. It is highly recommended to enable the debug commands with filters.
To filter the traffic, use the command below ;
diagnose ips filter set
bpf filter bpf filter
This filter is a berkeley filter which allows to use of many parameters such as source, destination, and TCP/UDP ports.
Example 1:
Filter the traffic from source IP 1.1.1.1 and TCP port 443:
diagnose ips filter set 'src 1.1.1.1 and tcp port 443'
Verify the filter with the command below:
diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "host 1.1.1.1 and tcp port 443"
process id: 0
Example 2:
To filter the traffic from source IP 192.168.10.10 and destination IP 8.8.8.8 and port TCP 443:
diagnose ips filter set 'src 192.168.10.10 and dst 8.8.8.8 and tcp port 443'
Verify the filter with the command below:
diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "src 192.168.10.10 and dst 8.8.8.8 and tcp port 443"
process id: 0
Example command list for Web Filter debugging.
diagnose debug console timestamp enable
diagnose ips filter set 'src 192.168.10.10 and tcp port 443'
diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable
When troubleshooting ends.
diagnose debug disable
diagnose ips debug disable all
diagnose ips filter clear
diagnose debug reset
Open Developer tools on the browser and access the site that is having slowness. Select 'Duration' to sort it with the highest duration. Select the first entry and select Timings. The example below is from Firefox. The TLS Setup is showing around 5 seconds.
Debug output that shows TLS timeout:
eng_debug_log: Probe failed: unable to connect
With the new engine build v7.182, v7.338, and v7.533, if sni-server-cert-check is set to disable, it won't start TLS probe anymore.
That should fix the session delay.
IPSEngine 0182 is the default engine in FortiOS v7.0.16, IPSEngine 0338 in v7.2.9, and IPSEngine 0533 in v7.4.4.
CLI Commands.
config firewall ssl-ssh-profile
edit "custom-certificate-inspection"
config https
set sni-server-cert-check enable
Alternatively, the user can manually configure the outgoing interface, source IP, and VDOM for the IPS TLS active probe connection.
CLI Commands.
config ips global
config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> <----- When method 'specify'.
set vdom <vdom name> <----- When method 'sdwan' or 'specify'.
set source-ip <source_ipv4> <----- When method 'sdwan' or 'specify'.
set source-ip6 <source_ipv6> <----- When method 'sdwan' or 'specify'.
set interface-select-method: Specify how to select an outgoing interface to reach the server.
auto <----- Set outgoing interface automatically.
sdwan <----- Set outgoing interface by SD-WAN or policy routing rules.
specify <----- Set outgoing interface manually.
Related articles:
