Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gsarica
Contributor

5.6.0 breaks deep packet inspection

Going to open a ticket on this as well but wanted to see if anyone else had this same issue. Did the upgrade from 5.4.3 to 5.6.0 and as far as I can tell nothing changed in our policies except the deep packet inspection profile was automatically renamed from 'deep-inspection' to '__upg_deep-inspection' for some reason. Applications like Skype and Outlook are no longer connecting even though exceptions are in the list and it worked before the upgrade. Also going to certain websites will display a 'webpage is not available' error quickly before refreshing and finally going to the site.

17 REPLIES 17
Chuck
New Contributor

i have same issue. on 5.6.2 it sometimes works but very slow. did you ever find an answer?

gsarica

Sort of. I had to go through each app that wasn't working and find lists of exceptions to add on their websites. Never got an answer as to why they all worked in 5.4 without the added exceptions but not in 5.6.

hmtay_FTNT

Hello gsarica,

 

Can you check what is the name of the CA Certificate that was imported onto your environment? If you have been upgrading your Fortigate from the older OS versions, there's some chance you are using the "Fortinet_CA_SSLProxy" Certificate - it's kept in newer FortiOS upgrades for compatibility purposes.  In FortiOS 5.6, the default profiles for certificate-inspection and deep-inspection uses the "Fortinet_CA_SSL" certificates. If you have been using the default profile while the Certificate you imported previously was "Fortinet_CA_SSLProxy", that would explain why deep-inspection is not working correctly and applications not working.

 

Homing

gsarica

Thanks, the issue didn't have to do with the certificate being used. For example, the goto products like gotomeeting and gotoassist and such all worked fine in 5.4.2 with deep inspection enabled with only a minimum of exceptions, I think we had *.gotomeeting.com and only a couple others. Upgraded to 5.6 stopped them all from working. I had to add almost 40 exceptions found here:

 

http://support.citrixonline.com/en_us/meeting/all_files/G2M060010

 

Once I added all of them the apps worked again. Why they worked before the upgrade is beyond me.

khalilysf

i have the same issue did you find any answer on the problem?

st3fan
New Contributor III

Hi everyone

 

We also have this issue in our environment. Ever since we upgraded to FortiOS 5.6.x, we often experience that a website does not load at first but then it loads without a problem after a refresh. There are no certificate warnings - that is not the problem. We have experienced this on all builds of the 5.6.x branch so far. We have never had this problem on FortiOS 5.4.

 

I opened a ticket with Fortinet Support a while ago but they were not able to assist as I simply could not provide the log files they requested. It is very challenging to capture this event as it cannot be reproduced, at least not in our environment. It seems to happen intermittently.

 

Just wondering if anyone here ever found a solution? Has anyone experienced this issue on FortiOS 6.0.x?

 

Thanks,

Stefan

rliessi
New Contributor

@st3fan, did you find a solution? I have the same problem, sometimes we need to refresh to load the website.

 

Thanks,

st3fan
New Contributor III

Hi rliessi

 

No, unfortunately we have not found a solution yet.

 

Regards

Stefan

rliessi
New Contributor

Ok..   Thanks.

Labels
Top Kudoed Authors