Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor II

7.0.4 - break Proxy inspection

Hello,

 

yesterday I upgraded FG200E to version 7.0.4.

In the previous version 7.0.1 I used proxy inspection + SSL deep inspection (certificate signed from AD). After the update (7.0.1 -> 7.0.3 -> 7.0.4) all policies in Proxy mode stopped working. Each browser returned an "err_ssl_protocol_error" error, but eg IMAPS, SMTPS worked well.
Once I've adjusted the Policy to flow (and all UTMs), everything works.

 

There wasn't much time to find out why it behaves like this, I'll continue this weekend.

 

Has anyone tried to deploy 7.0.4?

 

Jirka

36 REPLIES 36
Jirka1
Contributor II

I did some more tests:

 

- the problem only appears when applying an APP or IPS profile on Proxy policy
- I tried to create a new Policy - no change
- I tried to change Deep Inspection to Certification Inspection - no change
- everything is functional only with AV and WEB filtering

Jirka

 

Hmichel
New Contributor

Hi,

same here with 601E. Workaround was to change ssl-inspection Form Deep-inspection to certificate inspection. Weird is, that i Patched yesterday 17:00 But it stopped working today 13:00. No difference with flow of proxy based policys. No difference if i disable webfilter, AC, AV … My Only Chance was to disable Deep inspection



EDIT: deep inspection works in Flow-based Mode 

 

Hagen

Jirka1
Contributor II

Hi Hagen,

 

that's exactly how it worked for me. After the update everything worked but over time the Proxy Policy stopped working. So certification inspection doesn't work for me either.
Last night I tried the box format installing 7.0.4 and restoring the configuration. It worked again for a while and this morning I'm getting "ERR_CONNECTION_CLOSED" from browsers (chrome, edge, firefox).
I have create ticket also on TAC and waiting for response.

Jirka

CorreyAnderson
New Contributor

No idea about it so far. But I would like to learn more. Thank you so much!

Kangming
Staff
Staff

Hi Jirka1,

Found a similar scene, do you match this issue environment?

=========

Traffic is blocked when AV profiled enabled in proxy inspection mode + IPSec scenario with NPU offloading enabled
Workaround: disable NPU offload in affected firewall policy

=========

 

Thanks

Kangming

Jirka1

Hi Kangming,

no, this workaround doesn't work for me.

Proxy policy paradoxically only works with my AV profile for me. If I add APP or IPS - I end up with a browser error "ERR_CONNECTION_CLOSED". And it doesn't matter if I use deep inspection or certification inspection.

Likewise, disabling offload has no effect.

Jirka

Kangming

Hi Jirka,

OK, I am reproducing this issue in my FGT401E environment, can you share with me the configuration of your proxy policy?

 

 

Thanks

Kangming

Jirka1

Email sent.

Jirka

darrendavey

Having similar issue 7.0.4 on 600E. Changed outbound from Proxy to Flow and that is working for now. Issues started happening this afternoon. We went from 7.0.3 to 7.0.4 early this morning, then issue appeared later in the day.