I wanted to know in my fortigate firewall with fortios 7.0.11, if I am using app control profile in policy then deep packet inspection is required compulsory?
Issue : Actually I am having existing policy with app control with normal certificate inspection but I am getting intermittent issue in zoom meetings if I am using Dpi then too sometimes I am getting issue so if using Dpi then zoom need to be bypass from it?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Kashif,
DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.
Alternatively explicit proxy might be worth a shot.
Best regards,
Markus
Hi Kashif,
DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.
Alternatively explicit proxy might be worth a shot.
Best regards,
Markus
Thanks @Markus_M
@Markus_M ,if I am using Dpi in policy with app control and still getting intermittent issue for zoom.us the bypassing zoom.us will work?
Hello Kashif,
You should put the Fortinet CA certificate in the end user machine's Trusted root CA directory, as this is necessary for the deep inspection to function properly.
In case you want to bypass zoom you can add it in the Application and Filter Override.
You should be more specific with the issue you have.
If you have certificate warnings, then you need to import the CA certificate FortiGate uses for signing web server certificates, to the client. The warning will then go away.
Some applications do implement a security measure where the server tells the end station what certificate to expect inside TLS. Since the FortiGate signs the webserver traffic, the certificate will be unexpected and the traffic may not proceed. That is a security measure against man-in-the-middle attacks and some applications indeed may have to be excluded from DPI.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.