Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Domvel
New Contributor

Fortigate SSL inspection produces corrupt file downloads.

I can't download a working setup of VS Code from the page https://code.visualstudio.com/ because Fortigate replaces a small block from the files with zero bytes.

 

The file comes from URL: https://az764295.vo.msecnd.net/stable/4e9361845dc28659923a300945f84731393e210d/VSCodeSetup-x64-1.26....

 

After download, the setup returns crc32 error. The digital signatures (file properties) says invalid certificate.

If I download the file without fortigate certificate replace (deep ssl) the file is correct.

 

A comparison of the two files (downloaded with and without fortigate) in a hex editor shows at Offset 0xFFE28 is a block of length 432 of zeros bytes replaced from fortigate. Range 0xFFE28 - 0xFFFD7.

 

This code block:

77 04 85 0B 6A 7B 8F 0C 32 F9 25 68 D7 7E BD 47

 

88 C0 1D 74 A6 52 EA 69 05 83 08 E3 E4 BF 03 33
77 99 F4 2A FA 4E 47 D8 DE 99 03 3D 9E 09 9C C3
E5 18 94 D2 77 95 73 01 0E E0 EA 8D B0 C3 81 1C
9E 9B 49 92 07 5C B0 F5 04 AB 96 D2 53 F9 38 99
19 D6 07 99 78 0F 7B 8E AE 0D 3F AD B2 8E 57 BA
D2 6E 08 A1 E5 55 CC 73 4B 44 A7 D8 29 03 4C 30
79 C9 6B BA EE 60 5C C0 84 B1 E3 88 84 AD 31 3C
BC 36 D6 50 D8 C2 48 C1 39 D5 7E C6 80 9D 75 B1
42 61 25 1E B5 67 AE A7 93 DC F9 52 04 BA 5E 92
44 6F 0A 15 FB EA A3 89 EF 51 9B C0 14 3D 5A 5F
E7 0D B2 32 7C 5D 13 56 13 C2 F8 F8 17 8F 29 23
07 A8 85 44 2C BB EB B4 7A 46 BB 83 D0 1B 71 E6
66 07 AB 11 D5 6E 6F A7 5A 73 7C BE 88 38 6F DC
0D 60 D7 21 A7 A1 C2 D7 B6 5D 10 61 26 78 BF 91
2A 00 21 06 20 8A 24 AB FD 09 FF 9B A9 00 81 46
7B 93 FA 67 F4 57 4A C8 38 D3 FE D6 93 CA B8 A9
D1 ED 1D E5 41 63 FE C0 AE 50 85 22 89 0B 57 A5
0A 66 D1 30 2A 52 1D C1 83 85 C3 C1 CA 91 06 DD
5C 31 EB 33 4B 60 C6 35 A6 55 ED 25 7E 46 00 5E
76 8D ED 65 EC 71 C6 09 64 B2 AB 44 08 9B 17 E6
3D F4 87 3D A3 E7 43 42 81 C0 97 3D 51 5F 33 8E
56 10 C2 17 09 48 14 9C 8F 78 80 06 DD B1 28 EE
04 36 A8 3D BC A4 9B D6 23 3B F2 0F 04 18 7F 7B
3E D7 1C 97 FE BB 4A BF D0 32 F8 22 8A 80 47 4F
DA BD 38 95 A8 9B ED BA 9F 34 94 DA FE 0A 2F C8
E0 BA 20 FD 17 96 50 DD D0 26 11 C2 A4 0B 9C 61

 

Is removed by fortigate by 0x00 for each byte.

 

Why? Fortigate eats a hole in the file?

 

Update: 

This also happens with other downloads. e.g. Unity Asset Store. (Not all packages. Try the package "post processing stack"). 

It removes a shorter block by 0x00. Weird. I have no idea where's the problem.

1 Solution
hop_FTNT

Hi Domvel and Wayne1,

 

There are 2 known corrupted issues that have been fixed in 6.0.3 which has ipsengine 4.00025 built in. Please give it a try.

 

Thanks.

View solution in original post

6 REPLIES 6
emnoc
Esteemed Contributor III

Use the cli-cmd  diag debug flow and inspect what the firewall is doing would the 1st guess. What is the firewall doing  ( proxy , file inspection,etc....)

 

PCNSE 

NSE 

StrongSwan  

Domvel
New Contributor

It's the SSL Inspection. If I turn it off, it works. I can't see any logs for this issue.

darwin_FTNT

In the console or CLI, can see the versions info needed to replicate the bug, type:

 

get system status

 

diagnose autoupdate versions

 

Also the matching firewall policy and the utm profiles enabled for the affected traffic.

 

Did a quick test on the latest FOS v6 and md5sum of ssl deep inspection enabled/disabled are the same.

Wayne11

Same problems here with 6.0.2. It happens only with Full SSL Inspection profile.

hop_FTNT

Hi Domvel and Wayne1,

 

There are 2 known corrupted issues that have been fixed in 6.0.3 which has ipsengine 4.00025 built in. Please give it a try.

 

Thanks.

Wayne11

Hi hop_FTNT

 

Thanx for the tip, after updating to 6.0.3 the problem is solved.

 

Regards