Troubleshooting Tip: How to troubleshoot content filtering feature is not working when ALPN HTTP/2 is enabled in SSL Deep Inspection profile

If content filtering is not working as expected for the configured web profiles, follow the troubleshooting steps below to identify the problem.

This article focuses on possible problems that can occur when using content filtering as shown below: 

Requested Page is not loading. (no error message shown, blank page) 

Requested Page is loading with blocked page replacement message from Fortigate after 2-3 minutes. 

Requested Page is loading after 2-3 minutes.

Example configuration for the matching policy :

edit 1 
    set name "ContentFilter"
    set uuid 9ba1ee-b8f9-60e123832fce
    set srcintf "port1"
    set dstintf "WAN"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "all"
    set utm-status enable

    set inspection-mode proxy
    set ssl-ssh-profile "custom-deep-inspection"
    set webfilter-profile "TestWebFilter"
    set nat enable
next

Example configuration for the content filtering is shown below : 

Fortigate# config webfilter content
Fortigate# show 

    config webfilter content
        edit 1
            set name "ContentFiltering"
                config entries
                    edit "tiktok"
                        set status enable
                    next
                    edit "snapchat.com"
                        set status enable
                    next

Example SSL Inspection Profile Selected on the matching Policy : 

Fortigate# config firewall ssl-ssh-profile

Fortigate# edit "custom-deep-inspection" <--- Default profile in FortiGate, select the custom profile if it exists.

Fortigate# get

  (output is truncated) 

  server-cert-mode : re-sign
  caname : Fortinet_CA_SSL
  untrusted-caname : Fortinet_CA_Untrusted
  ssl-server:
  ssl-exemption-ip-rating: enable
  ssl-exemption-log : disable
  ssl-anomaly-log : enable
  ssl-negotiation-log : disable
  ssl-server-cert-log : disable
  ssl-handshake-log : disable
  rpc-over-https : disable
  mapi-over-https : disable
  supported-alpn : all    <-- Default ALPN mode is set to all.
  use-ssl-server : disable

Firewall policy mode Proxy and SSL Deep Inspection must be enabled on the corresponding policy for content filtering.

In this scenario, the user should receive a blocked replacement page from FortiGate :  

• When the user is accessing the internet and browsing the URL 'tiktok' keyword.
• When the user is accessing the internet and at the search browser website (google.com, bing.com, etc) search the 'tiktok' keyword. 

Example below:

If the user is searching for a word, not in the block list, the page should load on the user screen without any problem.

If the user is experiencing problems (page not loading, it takes too much time to load) when searching listed or nonlisted words, change the setting under SSL Inspection Profile as below.

Fortigate# config firewall ssl-ssh-profile

Fortigate# edit "custom-deep-inspection"  <--- Select the profile enabled on the policy.

Fortigate (custom-deep-insp~ion)# set supported-alpn http1-1

Fortigate (custom-deep-insp~ion)# end

The problem will be fixed and the page will opened or blocked depending on the configuration under the content filtering profile.

This is a known issue and it is fixed in version 7.4 and version 7.2.11.