Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Whiteoaks
New Contributor

Created on ‎06-21-2022 11:25 AM

Facebook Messenger APP not able to send\receive messages with DPI

Hi,

We have a 80F firewall we are wanting to put into production but need to be able to troubleshoot these types of issues reliably. We have deep packet inspection turned on with a CA certificate approved by our AD CS (no warning messages when visiting websites). 

Facebook Messenger application is unable to send\receive messages however messenger.com works fine without issue. If we add facebook.com to the exception list the Facebook messenger application begins to work as well. 

What may we be able to do to have these types of issues work without beginning to add a bunch of exemptions into our SSL inspection - defeating the purpose of the firewall. 

Labels:
411
0 Kudos
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎06-23-2022 10:08 PM

Hello Whitoaks,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
401
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎06-24-2022 05:19 AM

Hello,

 

Could you please tell me which version is your FortiGate-80F please?

 

Thanks a lot in advance.

 

Regards,

Anthony-Fortinet Community Team.
394
0 Kudos
davidmuray
New Contributor

Created on ‎01-23-2023 04:36 AM Edited on ‎01-30-2023 05:48 AM

It is good that you have deep packet inspection enabled and a CA certificate approved by the AD CS. Still, it can be frustrating when some applications work differently than expected. Remember that the Facebook Messenger app may use a different SSL certificate or encryption method than the one used by messenger. This could be the cause of a firewall issue. Another option is to consider alternative messenger apps that prioritize security and privacy. I found Jtwhatsapp https://terezast.com/the-safest-messengers-for-pcs-and-smartphones/ a couple of weeks ago, and I am thrilled, as these apps are great for confidential conversations. Good luck, and let us know if you find a solution!

207
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎01-23-2023 04:45 AM

Hey Whiteoaks,

 

DPI can have some limitations, especially if the connection you're trying to inspect uses HSTS - in that case, it's not really possible to do deep inspection as the certificate replacement would be noticed, and the connection refused (with HSTS, the client expects specific certificates signed by specific certificate authorities, and the FGT certificate, though signed by a trusted CA, would still not be accepted, because the certificate would NOT come from the specified authority)

-> a lot of facebook-related websites and applications use HSTS to my knowledge, so you might be running into that issue? Unfortunately there isn't really a good solution for this :\

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
205
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.