Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faresnani
New Contributor III

Created on ‎06-05-2024 11:36 PM

FortiGate-3300E v7.2.7 SSL Application Blocking Issue

Hi All,

 

We are experiencing anomalous behavior with our FortiGate-3300E v7.2.7, build 1577, 240131 (GA.M). Specifically, when our clients attempt to access certain government websites, the firewall blocks the sessions for SSL, while allowing SSL_TLSv1.2 and SSL_TLSv1.3 protocols.

The issue persists even after adding the websites to the override web filter as exempt and configuring the Application Control for Network Service to allow all. Please refer to the attached screenshot for more details.

Your assistance in resolving this matter would be greatly appreciated.

 

Omran Mohamed

Best regards,

 

FortiGate 

 

Application ControlApplication ControlForward Traffic LogsForward Traffic LogsWeb FilteringWeb Filtering

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
1056
0 Kudos
7 REPLIES 7
mahesh_pm
New Contributor III

Created on ‎06-06-2024 12:56 AM

hi,

 

can you please check the SSL log from log&report -->SSL ... then filter source IP and check if any certificate error exists?

Cheers,
Cheers,
1023
Faresnani
New Contributor III
In response to mahesh_pm

Created on ‎06-06-2024 01:04 AM

I found these as shown ss.PNGssl-log.PNGss-log.PNG

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
1019
mahesh_pm
New Contributor III

Created on ‎06-06-2024 01:16 AM

Hi,

 

Please inspect the following link and test it on an isolated PC. Create a separate SSL profile for this PC to check if the issue is resolved.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-allow-HTTPS-port-443-traffic-... 

Cheers,
Cheers,
1012
Faresnani
New Contributor III
In response to mahesh_pm

Created on ‎06-06-2024 01:23 AM

Thank you very much for your support, @mahesh_pm  . We will review the article, test the solution, and provide feedback.

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
1000
0 Kudos
smaruvala
Staff
Staff

Created on ‎06-06-2024 01:26 AM

Hi, 

 

- As @mahesh_pm mentioned it looks like certificate probe issue. 

- Can you check if the same issue is seen when you use policy in proxy mode instead of the flow mode?

- This could be matching a reported issue of 994101 as well.

 

Regards,

Shiva

994
Faresnani
New Contributor III
In response to smaruvala

Created on ‎06-06-2024 03:00 AM

Hi @smaruvala 

 

Good day to you 

 

yes we already using Proxy mode in the policy 

Policy SettingPolicy SettingPolicyPolicy

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
945
0 Kudos
mahesh_pm
New Contributor III

Created on ‎06-06-2024 05:53 AM Edited on ‎06-06-2024 06:02 AM

Hi,

 

please create a new SSL profile with the below settings and enable it on policy. 

ssl.JPG

 

 

if still the issue exists try the below activity .

 

on the cli

 

config firewall ssl-ssh-profile
edit SSL-TEST 

config https 

set cert-probe-failure allow

end

Cheers,
Cheers,
896
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.