Hello,
yesterday I upgraded FG200E to version 7.0.4.
In the previous version 7.0.1 I used proxy inspection + SSL deep inspection (certificate signed from AD). After the update (7.0.1 -> 7.0.3 -> 7.0.4) all policies in Proxy mode stopped working. Each browser returned an "err_ssl_protocol_error" error, but eg IMAPS, SMTPS worked well.
Once I've adjusted the Policy to flow (and all UTMs), everything works.
There wasn't much time to find out why it behaves like this, I'll continue this weekend.
Has anyone tried to deploy 7.0.4?
Jirka
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I did some more tests:
- the problem only appears when applying an APP or IPS profile on Proxy policy
- I tried to create a new Policy - no change
- I tried to change Deep Inspection to Certification Inspection - no change
- everything is functional only with AV and WEB filtering
Jirka
Hi,
same here with 601E. Workaround was to change ssl-inspection Form Deep-inspection to certificate inspection. Weird is, that i Patched yesterday 17:00 But it stopped working today 13:00. No difference with flow of proxy based policys. No difference if i disable webfilter, AC, AV … My Only Chance was to disable Deep inspection
EDIT: deep inspection works in Flow-based Mode
Hagen
Hi Hagen,
that's exactly how it worked for me. After the update everything worked but over time the Proxy Policy stopped working. So certification inspection doesn't work for me either.
Last night I tried the box format installing 7.0.4 and restoring the configuration. It worked again for a while and this morning I'm getting "ERR_CONNECTION_CLOSED" from browsers (chrome, edge, firefox).
I have create ticket also on TAC and waiting for response.
Jirka
No idea about it so far. But I would like to learn more. Thank you so much!
Hi Jirka1,
Found a similar scene, do you match this issue environment?
=========
Traffic is blocked when AV profiled enabled in proxy inspection mode + IPSec scenario with NPU offloading enabled
Workaround: disable NPU offload in affected firewall policy
=========
Thanks
Kangming
Hi Kangming,
no, this workaround doesn't work for me.
Proxy policy paradoxically only works with my AV profile for me. If I add APP or IPS - I end up with a browser error "ERR_CONNECTION_CLOSED". And it doesn't matter if I use deep inspection or certification inspection.
Likewise, disabling offload has no effect.
Jirka
Hi Jirka,
OK, I am reproducing this issue in my FGT401E environment, can you share with me the configuration of your proxy policy?
Thanks
Kangming
Email sent.
Jirka
Having similar issue 7.0.4 on 600E. Changed outbound from Proxy to Flow and that is working for now. Issues started happening this afternoon. We went from 7.0.3 to 7.0.4 early this morning, then issue appeared later in the day.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.