Technical Tip: Deep Inspection and Web Filtering on Explicit Proxy Policy Fails when Additional HTTP Ports are Configured in Profile Protocol Options

ssanga · ‎10-13-2024

Description	This article povides a solution for a problem where web filtering fails to function correctly in explicit proxy policies configured with deep packet inspection, particularly when additional HTTP ports are specified in profile protocol options.
Scope	FortiGate v7.2.7.
Solution	After upgrading to v7.2.7, web filtering with deep packet inspection in explicit proxy policies fails to block access to HTTPS websites, while HTTP sites are restricted correctly. Instead of the certificates signed by the FortiGate Deep Inspection CA, the original server certificate is displayed in the browser. This issue arises specifically when additional ports for HTTP, such as 443, are included under profile protocol options. Sample configuration: config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "wan" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set utm-status enable set logtraffic-start enable set webfilter-profile "Proxy" set profile-protocol-options "standard" <----- set ssl-ssh-profile "custom-deep-inspection" <----- config firewall profile-protocol-options edit "standard" config http set ports 80 443 8443 8080 <----- unset options unset post-lang next next end This issue has been resolved in FortiOS v7.4.4, v7.6.0. Workaround: Remove additional ports for HTTP under profile-protocol-options. config firewall profile-protocol-options edit "standard" config http set ports 80 unset options unset post-lang next next end

Technical Tip: Deep Inspection and Web Filtering on Explicit Proxy Policy Fails when Additional HTTP Ports are Configured in Profile Protocol Options

You are leaving our website