We are having a bizarre problem since updating to 6.2.1 (we updated due to a memory leak issue in 6.2.0).
Certain sites are giving us a ERR_SSL_PROTOCOL_ERROR only in Google Chrome. I have tried all the usual troubleshooting for this error, but the only thing that fixes it is restarting the fortigate. Two sites (facebook.com and login.renweb.com) both use TLS 1.3, but we can get to facebook without a problem and we cannot get to the other site. After rebooting the device, it works for several days and then starts behaving poorly again.
Other browsers work fine, including Internet Explorer, Edge (not Chromium based) and Firefox.
I have attempted to disable SSL certificate inspection, but that does not seem to affect the problem one way or another. I also tried putting the fortigate back on its factory certificate.
My next step will be to revert to 6.0 branch, where I did not experience this issue, but I figured I would post first to see if anyone had similar experiences.
Solved! Go to Solution.
Have anybody used curl against theses sites? Inspect the certificate and if you see any stale cert clear them. You can also test in a incognito window and see if the problem exists.
It sounds like a browser issues. FWIW. I check all of those sites from fortios v6.2.3 and see no issues using chrome on windows { Version 78.0.3904.87 (Official Build) (64-bit) }
Ken Felix
PCNSE
NSE
StrongSwan
Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.
All of my static URL Web Filters end with:
* wildcard block
I changed it to:
[^.] regex block
and now everything works as it should. Wanted to get this out these asap in case it helps anyone.
I just posted “Weak impersonation certificates blocking access to sites using ECC certificates”, then saw this post. The two are possibly related.
Okay, I have been digging into this a little more and I think I have some leads. Seadave is on point with proxy vs flow mode in my testing. I found that AV, certificate settings, or any other security profiles made no difference being enabled or disabled. I am interested to hear from anyone who has a situation different to this. I expect to be affected, you will need to be using:
- Proxy mode in the policy
- HTTP proxy in the proxy profile (on port 80 in my case which is confusing for a secure site?)
Since you can now choose Flow Based vs Proxy on a per policy level now in 6.2 - you have a couple of work around options.
1. When the issue starts occurring, access the device CLI and execute the following command to restart the proxy service:
diagnose test application wad 99
I ran this command in the middle of the day without noticing any problems, but use this at your own risk!
2. Reboot the firewall
3. Create a new copy of the policy above the affected policy, targeting affected destination websites IP addresses (least impact on security, but a pain to manage). Set this policy to flow mode or use a proxy policy that has HTTP proxy disabled.
4. Create a new policy using a proxy policy that has HTTP disabled and apply this to the proxy settings on the affected firewall policy.
5. Change the policy from proxy to flow mode.
Obviously you will need to consider how the reduction in protection affects your risk, and don't forget to change back after the issue is resolved in a future firmware update. Hope this helps.
We are pushing on this because we really want to leverage new features in 6.2 - Please fix this soon FortiNet!
Hope this helps, please consider giving me a vote if you found this useful!
Mostly this error occurs due to the server issues and a lack of client authentication. There are some other reasons for ERR_SSL_PROTOCOL_ERROR on Google Chrome and you can fix this with https://www.clickssl.net/blog/fix-err_ssl_protocol_error-for-google-chrome this guide.
You're running into a bug related to the SSL handshake & certificate-inspection profile when policy is set to proxy mode. Switch to flow-based inspection for now. Hoping this bug is fixed in 6.2.2.
I had the same error in my chrome for one of my website and I got resolved it by removing history data and setting the clear state protocol clear from the chrome browser. There are other possible reasons for this error. You can refer this guide if you want, they mention all possible causes for this error:
Steps to Fix NET::ERR_SSL_PROTOCOL_ERROR in Chrome
I've had similar issues since my rollup.
All Chrome and Chromebooks broke.
My resolution:
I rebuilt all of the SSL inspection exemptions and web filter exemptions adding these links:
Hello,
i have the same problem on 6.2.3. I am unable to display the blocked https page correctly. In Chrome it ends with an "ERR_CONNECTION_RESET" error. HTTP queries work correctly. I have set up cert-inspection, flow policy and use only the FortiGuard category. In the profile configuration I tried to disable https redirect - set https-replacemsg disable, but I think the problem will be elsewhere.
IE reports the error message: This page cannot be securely connected This may be because your site is using outdated or unsafe TLS security settings. If the problem recurs, try contacting the site owner.
Has anyone solved this problem?
Thanks. Jirka
Hello, anybody? Jirka
6.2.2 is very buggy, have it running on 5 production firewalls, 300D, 100E HA cluster and a few 60E's.
We got that error often, not doing deep SSH inspection, just cert inspection.
I changed most of the browsing policies to flow mode from proxy mode, error gone after that. (Had to re-create most browsing policies and deleted to old ones, some I could change to flow with no issues and some policies had to be recreated.)
Hello, but i have 6.2.3. Everything else works stably and great-except webfiltering. If I create a static URL list it also works ok. The problem only affects FortiGuard webfilter. Jirka
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.