- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ERR_SSL_PROTOCOL_ERROR on Google Chrome
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ERR_SSL_PROTOCOL_ERROR on Google Chrome
We are having a bizarre problem since updating to 6.2.1 (we updated due to a memory leak issue in 6.2.0).
Certain sites are giving us a ERR_SSL_PROTOCOL_ERROR only in Google Chrome. I have tried all the usual troubleshooting for this error, but the only thing that fixes it is restarting the fortigate. Two sites (facebook.com and login.renweb.com) both use TLS 1.3, but we can get to facebook without a problem and we cannot get to the other site. After rebooting the device, it works for several days and then starts behaving poorly again.
Other browsers work fine, including Internet Explorer, Edge (not Chromium based) and Firefox.
I have attempted to disable SSL certificate inspection, but that does not seem to affect the problem one way or another. I also tried putting the fortigate back on its factory certificate.
My next step will be to revert to 6.0 branch, where I did not experience this issue, but I figured I would post first to see if anyone had similar experiences.
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have anybody used curl against theses sites? Inspect the certificate and if you see any stale cert clear them. You can also test in a incognito window and see if the problem exists.
It sounds like a browser issues. FWIW. I check all of those sites from fortios v6.2.3 and see no issues using chrome on windows { Version 78.0.3904.87 (Official Build) (64-bit) }
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick update, I believe we solved the problem, or at least my problem. I haven't fulled vetted this out yet, but so far, so good.
All of my static URL Web Filters end with:
* wildcard block
I changed it to:
[^.] regex block
and now everything works as it should. Wanted to get this out these asap in case it helps anyone.
37 REPLIES 37
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just posted “Weak impersonation certificates blocking access to sites using ECC certificates”, then saw this post. The two are possibly related.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I have been digging into this a little more and I think I have some leads. Seadave is on point with proxy vs flow mode in my testing. I found that AV, certificate settings, or any other security profiles made no difference being enabled or disabled. I am interested to hear from anyone who has a situation different to this. I expect to be affected, you will need to be using:
- Proxy mode in the policy
- HTTP proxy in the proxy profile (on port 80 in my case which is confusing for a secure site?)
Since you can now choose Flow Based vs Proxy on a per policy level now in 6.2 - you have a couple of work around options.
1. When the issue starts occurring, access the device CLI and execute the following command to restart the proxy service:
diagnose test application wad 99
I ran this command in the middle of the day without noticing any problems, but use this at your own risk!
2. Reboot the firewall
3. Create a new copy of the policy above the affected policy, targeting affected destination websites IP addresses (least impact on security, but a pain to manage). Set this policy to flow mode or use a proxy policy that has HTTP proxy disabled.
4. Create a new policy using a proxy policy that has HTTP disabled and apply this to the proxy settings on the affected firewall policy.
5. Change the policy from proxy to flow mode.
Obviously you will need to consider how the reduction in protection affects your risk, and don't forget to change back after the issue is resolved in a future firmware update. Hope this helps.
We are pushing on this because we really want to leverage new features in 6.2 - Please fix this soon FortiNet!
Hope this helps, please consider giving me a vote if you found this useful!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mostly this error occurs due to the server issues and a lack of client authentication. There are some other reasons for ERR_SSL_PROTOCOL_ERROR on Google Chrome and you can fix this with https://www.clickssl.net/blog/fix-err_ssl_protocol_error-for-google-chrome this guide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're running into a bug related to the SSL handshake & certificate-inspection profile when policy is set to proxy mode. Switch to flow-based inspection for now. Hoping this bug is fixed in 6.2.2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same error in my chrome for one of my website and I got resolved it by removing history data and setting the clear state protocol clear from the chrome browser. There are other possible reasons for this error. You can refer this guide if you want, they mention all possible causes for this error:
Steps to Fix NET::ERR_SSL_PROTOCOL_ERROR in Chrome
Voluntarily write blogs on Cyber Security & Encryption
Voluntarily write blogs on Cyber Security & Encryption
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've had similar issues since my rollup.
All Chrome and Chromebooks broke.
My resolution:
I rebuilt all of the SSL inspection exemptions and web filter exemptions adding these links:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
i have the same problem on 6.2.3. I am unable to display the blocked https page correctly. In Chrome it ends with an "ERR_CONNECTION_RESET" error. HTTP queries work correctly. I have set up cert-inspection, flow policy and use only the FortiGuard category. In the profile configuration I tried to disable https redirect - set https-replacemsg disable, but I think the problem will be elsewhere.
IE reports the error message: This page cannot be securely connected This may be because your site is using outdated or unsafe TLS security settings. If the problem recurs, try contacting the site owner.
Has anyone solved this problem?
Thanks. Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, anybody? Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
6.2.2 is very buggy, have it running on 5 production firewalls, 300D, 100E HA cluster and a few 60E's.
We got that error often, not doing deep SSH inspection, just cert inspection.
I changed most of the browsing policies to flow mode from proxy mode, error gone after that. (Had to re-create most browsing policies and deleted to old ones, some I could change to flow with no issues and some policies had to be recreated.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, but i have 6.2.3. Everything else works stably and great-except webfiltering. If I create a static URL list it also works ok. The problem only affects FortiGuard webfilter. Jirka
Related Posts
- Setting SSL/SSH inspection profile causes most... 155 Views
- ERR_EMPTY_RESPONSE only using Google Chrome accessing... 3848 Views
- FortiGate dailymotion block about 300 Views
- vm IMAGE 513 Views
- Chrome browser extension error with Forticlient... 1116 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.