Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Staff
Staff

Created on ‎09-25-2014 07:14 AM

Article Id 190737

Unable to upload large file with Load Balancing and SSL Offloading

Description
When using load balancing with SSL Offloading in a Virtual Server configuration (i.e. the server-type is https), the Fortigate sends empty fragments by default.
Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known.
Some older or buggy SSL implementations cannot properly handle empty fragments on the client side or the server side.
One of the side effects is that the client cannot upload large files to the Web Server through HTTPS.
Scope
FortiOS 4.0 and above
Solution
It is possible to disable empty fragments in the Virtual Server configuration with the following CLI parameter :

config firewall vip 
edit "your_HTTPS_VirtualServer" 
set ssl-send-empty-frags disable 
end

Labels:
1671
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.