- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7.0.4 - break Proxy inspection
Hello,
yesterday I upgraded FG200E to version 7.0.4.
In the previous version 7.0.1 I used proxy inspection + SSL deep inspection (certificate signed from AD). After the update (7.0.1 -> 7.0.3 -> 7.0.4) all policies in Proxy mode stopped working. Each browser returned an "err_ssl_protocol_error" error, but eg IMAPS, SMTPS worked well.
Once I've adjusted the Policy to flow (and all UTMs), everything works.
There wasn't much time to find out why it behaves like this, I'll continue this weekend.
Has anyone tried to deploy 7.0.4?
Jirka
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did some more tests:
- the problem only appears when applying an APP or IPS profile on Proxy policy
- I tried to create a new Policy - no change
- I tried to change Deep Inspection to Certification Inspection - no change
- everything is functional only with AV and WEB filtering
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
same here with 601E. Workaround was to change ssl-inspection Form Deep-inspection to certificate inspection. Weird is, that i Patched yesterday 17:00 But it stopped working today 13:00. No difference with flow of proxy based policys. No difference if i disable webfilter, AC, AV … My Only Chance was to disable Deep inspection
EDIT: deep inspection works in Flow-based Mode
Hagen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hagen,
that's exactly how it worked for me. After the update everything worked but over time the Proxy Policy stopped working. So certification inspection doesn't work for me either.
Last night I tried the box format installing 7.0.4 and restoring the configuration. It worked again for a while and this morning I'm getting "ERR_CONNECTION_CLOSED" from browsers (chrome, edge, firefox).
I have create ticket also on TAC and waiting for response.
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No idea about it so far. But I would like to learn more. Thank you so much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jirka1,
Found a similar scene, do you match this issue environment?
=========
Traffic is blocked when AV profiled enabled in proxy inspection mode + IPSec scenario with NPU offloading enabled
Workaround: disable NPU offload in affected firewall policy
=========
Thanks
Kangming
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kangming,
no, this workaround doesn't work for me.
Proxy policy paradoxically only works with my AV profile for me. If I add APP or IPS - I end up with a browser error "ERR_CONNECTION_CLOSED". And it doesn't matter if I use deep inspection or certification inspection.
Likewise, disabling offload has no effect.
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jirka,
OK, I am reproducing this issue in my FGT401E environment, can you share with me the configuration of your proxy policy?
Thanks
Kangming
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Email sent.
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having similar issue 7.0.4 on 600E. Changed outbound from Proxy to Flow and that is working for now. Issues started happening this afternoon. We went from 7.0.3 to 7.0.4 early this morning, then issue appeared later in the day.