Error Javascript and HTTPS

Report Inappropriate Content · ‎11-21-2007

We have configured a fortigate A60 with url-filter (it blocks webmail) When we activate this filter on https, our users can' t access the login page on www.santanderrio.com.ar (a bank). It doesn' t load the javascripts.

Did anyone have this kind o problem?

rwpatterson · ‎11-21-2007

Tell us the firmware version you are running. It makes a huge difference!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎11-21-2007

Firmware Version Fortigate-60 3.00,build0405,070109

rwpatterson · ‎11-21-2007

That version of code is rather dated. I do recall that there were HTTPS scanning problems somewhere around that build. It' s been updated and ' fixed' several times since then. I would strongly suggest an upgrade at least to build 410 (patch 7). Patch 11 would be your best bet (build 416).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎11-21-2007

al times since then. I would strongly suggest an upgrade at least to build 410 (patch 7). Patch 11 would be your best bet (build 416).

I' ll try upgrading the firmware. thanks

jasonb_FTNT · ‎11-21-2007

If you want to use HTTPS webfiltering your best bet is to upgrade to MR5 Patch 3.

Report Inappropriate Content · ‎11-23-2007

I upgraded to patch 11 (build 416) and now the site loads on firefox (still doesn' t load on IE 6 or 7). But on firefox I can' t login. I get this error: SSL_ERROR_ACCESS_DENIED_ALERT (-12194)

jasonb_FTNT · ‎11-23-2007

Can you post your protection profile from the CLI? show firewall profile <profile name>

Report Inappropriate Content · ‎11-26-2007

This are the 2 profiles we use. with either of them we get the same error.

Fortigate-60 # show firewall profile ' Internet Basico' 
  
 config firewall profile
  
     edit " Internet Basico" 
  
         set log-im enable
  
         set log-p2p enable
  
         set log-web-url enable
  
         set ftp no-content-summary splice
  
         set http urlfilter
  
         set https urlfilter
  
         set imap fragmail no-content-summary spamfssubmit
  
         set pop3 fragmail no-content-summary spamfssubmit
  
         set smtp fragmail no-content-summary spamfssubmit splice
  
         set pop3-spamtagtype subject
  
         set imap-spamtagtype subject
  
         set weburlfiltertable 2
  
         set nntp no-content-summary
  
         unset im
  
         set aim enable-inspect block-im inspect-anyport
  
         set icq enable-inspect block-im inspect-anyport
  
         set msn enable-inspect block-im
  
         set yahoo enable-inspect block-im inspect-anyport
  
         set p2p enable
  
         set bittorrent block
  
         set edonkey block
  
         set gnutella block
  
         set kazaa block
  
         set winny block
  
         set skype block
  
     next
  
 end

  
 Fortigate-60 # show firewall profile ' Internet FULL' 
  
 config firewall profile
  
     edit " Internet FULL" 
  
         set log-im enable
  
         set log-p2p enable
  
         set log-web-url enable
  
         set ftp no-content-summary splice
  
         set http urlfilter
  
         set https urlfilter
  
         set imap fragmail no-content-summary spamfssubmit
  
         set pop3 fragmail no-content-summary spamfssubmit
  
         set smtp fragmail no-content-summary spamfssubmit splice
  
         set pop3-spamtagtype subject
  
         set imap-spamtagtype subject
  
         set weburlfiltertable 1
  
         set nntp no-content-summary
  
         unset im
  
         set p2p enable
  
         set bittorrent block
  
         set edonkey block
  
         set gnutella block
  
         set kazaa block
  
         set winny block
  
     next
  
 end

jasonb_FTNT · ‎11-26-2007

Try set https urlfilter allow-ssl-unknown-sess-id In both profiles. If that doesn' t work, your best bet is to try MR5 Patch 3.