Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faresnani
New Contributor III

FortiGate-3300E v7.2.7 SSL Application Blocking Issue

Hi All,

 

We are experiencing anomalous behavior with our FortiGate-3300E v7.2.7, build 1577, 240131 (GA.M). Specifically, when our clients attempt to access certain government websites, the firewall blocks the sessions for SSL, while allowing SSL_TLSv1.2 and SSL_TLSv1.3 protocols.

The issue persists even after adding the websites to the override web filter as exempt and configuring the Application Control for Network Service to allow all. Please refer to the attached screenshot for more details.

Your assistance in resolving this matter would be greatly appreciated.

 

Omran Mohamed

Best regards,

 

FortiGate 

 

Application ControlApplication ControlForward Traffic LogsForward Traffic LogsWeb FilteringWeb Filtering

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
7 REPLIES 7
mahesh_pm
New Contributor III

hi,

 

can you please check the SSL log from log&report -->SSL ... then filter source IP and check if any certificate error exists?

Cheers,
Cheers,
Faresnani
New Contributor III

I found these as shown ss.PNGssl-log.PNGss-log.PNG

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
mahesh_pm
New Contributor III

Hi,

 

Please inspect the following link and test it on an isolated PC. Create a separate SSL profile for this PC to check if the issue is resolved.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-allow-HTTPS-port-443-traffic-... 

Cheers,
Cheers,
Faresnani
New Contributor III

Thank you very much for your support, @mahesh_pm  . We will review the article, test the solution, and provide feedback.

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
smaruvala
Staff
Staff

Hi, 

 

- As @mahesh_pm mentioned it looks like certificate probe issue. 

- Can you check if the same issue is seen when you use policy in proxy mode instead of the flow mode?

- This could be matching a reported issue of 994101 as well.

 

Regards,

Shiva

Faresnani
New Contributor III

Hi @smaruvala 

 

Good day to you 

 

yes we already using Proxy mode in the policy 

Policy SettingPolicy SettingPolicyPolicy

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
mahesh_pm
New Contributor III

Hi,

 

please create a new SSL profile with the below settings and enable it on policy. 

ssl.JPG

 

 

if still the issue exists try the below activity .

 

on the cli

 

config firewall ssl-ssh-profile
edit SSL-TEST 

config https 

set cert-probe-failure allow

end

Cheers,
Cheers,
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors