Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
avarela
New Contributor

Application control is blocking Whatsapp

I have problems with a policy where I include an application control where I block access to facebook, youtube and others, one of the applications that I allow within the control is whatsapp but it has presented problems since yesterday, the attached files are not They send and the messages are sent several minutes later, the same as when receiving. I have been doing tests and by allowing the known applications the whatsapp starts working correctly, someone could help me know what the problem is if everything was working well until yesterday that I present this inconvenient.

 

My device is a Fortigate 90D The only categories that I have blocked in the control of applications are: Botnet, Game, P2P, Social.Media, Update, Video/Audio and Unknown applications (now in monitor mode for whatsapp work)

The other categories are in monitor mode

1 Solution
Shaun
New Contributor

Hi Discus,

 

I received the below feedback earlier today on my ticket I logged with Fortinet;

 

We have released improved WhatsApp signature in IPS definition version 12.315, please update the IPS definition to latest version and test again.

If the traffic about WhatsApp still detected as Facebook-Web in Forward Traffic log , please provide us a full packet capture which include the traffic, thanks.

 

I upgraded our IPS definition package to the latest version (12.315) and customer has confirmed it is working again with no issues. I've checked the logs, and the destinations where we were getting blocked (e6.whatsapp.net, e14.whatsapp.net, etc) which was classified as 'Facebook-Web' application traffic in the 'Unknown Applications' category, is now being seen as 'WhatsApp' application traffic within the 'Collaboration' category, which is correct.

 

Will continue to monitor and will revert if we pick up any issues.

 

View solution in original post

17 REPLIES 17
rajivk
New Contributor

i am having the same issue with a policy where I include an application control where one of the applications that I allow  is whatsapp but it has presented problems since yesterday, the attached files are not sent and the messages are sent several minutes later, the same as when receiving. I have been doing tests and by allowing the unknown applications the whatsapp starts working correctly, someone could help me know what the problem is if everything was working well until yesterday.   My device is a Fortigate 400D

 

As of Now the Unknown applications is Monitor Mode for Whatsapp to work, which i believe is not the correct way to have in the system

Discus
New Contributor

I'm seeing similar problems. 

 

WhatsApp traffic that is not correctly assigned to WhatsApp can be categorised as: 

[ul]
  • unknown tcp/5222
  • unknown "Facebook-Web" - typically https traffic to IPs that have PTR records ending in ip4.static.sl-reverse.com, typically 169.x.x.x
  • Bittorrent. [/ul]

    Obviously, allowing unknown things is a bad idea... 

     

    Sadly, my 500E is also preventing me adding custom app signatures :\ 

     

    This all manifests as WhatsApp being "broken" or "slow" depending on the user that's trying it. Mine is "slow" - crazily so. 

     

    We're not doing full SSL inspection, only certificate inspection. We're in proxy, not flow mode. FortiOS 5.6.3 Maybe that's a factor?

     

    It certainly *was* working before last weekend, so either WhatsApp changed something, or Fortigate did (or both!). 

  • Shaun
    New Contributor

    Hi all,

     

    Has anyone had any feedback from Fortinet regarding this issue?

     

    I've logged a case with them to investigate as we picking up the same issue as Discuss stated above. Destination ranges from e6.whatsapp.net all the way up to e14.whatsapp.net, which is classified as a 'Facebook-Web' application within the 'Unknown' application category. 

    Discus
    New Contributor

    @Shaun - I also have an open case, and nothing yet beyond "we're looking into it"... :\ 

    If *I* considered it enterprise traffic, I'd be fuming now, but it's something that people have adopted themselves (users may consider it critical...). Our official comms channels don't include it - but customers have become used to using it to contact our staff - and our staff have embraced it, despite all the goodies in GSuite etc. :\

     

    However, it's been nearly a week now, so I expect some management push-back to come our way soon... :\ 

    Discus
    New Contributor

    I suspect some newer definitions have been pushed - it seems to be working a little better today. Will keep an eye on it. 

    No feedback in my open ticket though. :\ 

    Shaun
    New Contributor

    Hi Discus,

     

    I received the below feedback earlier today on my ticket I logged with Fortinet;

     

    We have released improved WhatsApp signature in IPS definition version 12.315, please update the IPS definition to latest version and test again.

    If the traffic about WhatsApp still detected as Facebook-Web in Forward Traffic log , please provide us a full packet capture which include the traffic, thanks.

     

    I upgraded our IPS definition package to the latest version (12.315) and customer has confirmed it is working again with no issues. I've checked the logs, and the destinations where we were getting blocked (e6.whatsapp.net, e14.whatsapp.net, etc) which was classified as 'Facebook-Web' application traffic in the 'Unknown Applications' category, is now being seen as 'WhatsApp' application traffic within the 'Collaboration' category, which is correct.

     

    Will continue to monitor and will revert if we pick up any issues.

     

    Discus
    New Contributor

    Thanks Shaun. :) 

    john_ngugi
    New Contributor

    Same problem.

    noize88

    so is there any solution? 

    i have followed this sol. but no luck. whatsapp not working.

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD37625

     

    v6.2.1 build0932 (GA)

    Application Control Signatures Version 14.00705

     

    Device & OS Identification Version 1.00084 Internet Service Database Definitions Version 7.00143AV Definitions Version 72.00388 AV Engine Version 6.00132 Mobile Malware Version 72.00388Security Rating Package Version 2.00027
    Labels
    Top Kudoed Authors