Hi All,
We have Fortigate 100D model with 6.2.15 version, recently we are facing issue with zoom app while accessing it and getting the below error.
We have validate the certificate on fortinet, its not expired and valid as well. Tried to download the certificate which are we using security profile as 'certificate inspection' in policy and inspection mode is set to proxy mode and added this certificate to the browser as well but no luck. When we changed inspection mode to flow based it started working as expected. But we want it should work on proxy mode with security profile as "certificate inspection'.
Could you please provide the solution?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You mention Certificate - why do you think this is the problem? Does the FortiGate logs this as a problem (denies traffic because certificate is wrong/expired/etc)? Enable logging on that policy to see if Fortigate blocks the connection.
Otherwise, need to know how Zoom operates. If it's using SIP protocol for signalling, make sure you did NOT disable SIP-ALG on the firewall
Hi,
We have not only facing the issue with zoom app but we 2 to 3 internal urls which we used and getting the same error for all this. Please find the below logs from FW.
Date 2023/06/27
Time 05:07:49
Duration 2s
Session ID 39341658
Virtual Domain root
NAT Translation Source
Source
IP X.X.X.X
NAT IP X.X.X.X
Source Port 60651
Country/Region Reserved
Source Interface Wireless Users
Device ID FG100D3G16830465
User
Destination
IP 170.114.52.2
Port 443
Country/Region United States
Destination Interface Internet Gateway (wan1)
Application Control
Application Name HTTPS
Category unscanned
Risk undefined
Protocol 6
Service HTTPS
Data
Received Bytes 3 kB
Sent Bytes 848 B
Sent Packets 10
LAN In 524 B
LAN Out 524 B
WAN In 4 kB
WAN Out 320 B
Action
Action TCP reset from client
Security Action Blocked
Policy 174
Policy UUID fee49ddc-3d8e-51e8-1f90-df54824df03d
Policy Type IPv4
Security
Level
Cellular
Service HTTPS
Other
ID 7249228209449861255
Time 2023-06-27 01:07:50
euid 3
epid 1262
dsteuid 3
dstepid 101
logflag 3
logver 602151378
Type traffic
Sub Type forward
Log ID 0000000013
Source Interface Role lan
Destination Interface Role wan
Log event original timestamp 1687842470289547000
Number of SSL logs 1
Timezone +0000
dtime 2023-06-27 05:07:49
itime_t 1687842470
Zoom App and URL can only block access (both at the same time) if you misconfigured something. The logs actually tell a different story: "TCP reset from client" is actually telling you that the client actively reset the session. This is not something that can be fixed on Fortigate, but can happen if the destination does not like something about your connection (usually that is the IP). So check if your public IP is not blacklisted - that means the end firewall may block the connection (and you will see the reset).
Hi,
Someone could you please provide any solution on this as we have 2 to 3 internal urls (zoom,snowflake and logme123) which we used and getting the same error for all this. Also on firewall logs we see in ssl inspection logs getting "invalid/block cert" errorr.
"invalid/block cert" - different error, but pretty obvious. Wrong certificate being used. Do you have another firewall / proxy after the FortiGate which does deep-inspection (or changes the certificate)?
Hi,
We don't have any other firewall/proxy after the fortigate, we have router after fortigate.
Also attached some screenshot for the certificate error. Actually we have 2 certificate "Fortinet_CA_SSL" and "Fortinet_CA_Untrusted". I think these apps picking "Fortinet_CA_Untrusted".
Looks like you use "Fortinet_CA_Untrusted" for DPI. So you will have to make your client trust this CA by installing it as trusted certificate authority.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi,
You mean to say we need to download and add this certificate ("Fortinet_CA_Untrusted") from Firewall and we can go into the browser in the client system by going to "internet options" then add it in root certificate?
Hi,
Usually FGT uses Untrusted CA certificate if it is not able to successfully verify the actual Server certificate (Zoom Certificate).
For testing, you can manually download the Server certificate for Zoom and install in to FortiGate trusted CA list and try to access it again.
If the issue persist please share the section of relevant configuration and logs for checking further.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.