Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dlarson
New Contributor II

FortiGate SSL Inspection suddenly breaking applications.

Hello!

 

Starting today, we're seeing multiple issues with the SSL DPI breaking quite a few applications in the org, that were working fine as of last week.

 

I'm having trouble locating any logs or details as to what or why this is occurring. 

 

Some examples are.

  • Printix Printing fails entirely
  • Slack - Pasting images fails
  • Zoom - Fails to connect to meetings

And other applications, such as browser add ons and such.

Disable SSL DPI fixes the issue immediately.

 

Logs are empty

Cert is still valid

Disable security controls individually does nothing

 

 

Does anyone have any thoughts, or some additional troubleshooting methods I can take?

13 REPLIES 13
dlarson
New Contributor II

UPDATE: Worked with FortiGate support we swapped from Flow to Proxy we seemed to fix the issue, but it was intermittent today, where it was very consistent before. Still couldn't explain why this suddenly started occurring, but my best guess is from a change I made recently due to a DDOS attack that caused our traffic to route through a third party mitigation service. I had to adjust the MTU to 1476 to alleviate some issues, and my best guess is this somehow had/has issues with Flow-based mode.

 

I have since reverted back to the default MTU & re-enabled Flow to see if the issue is resolved.

 

Per tech response: "- I informed you that when using deep inspection, proxy-based should be selected for the firewall policy."

dlarson
New Contributor II

UPDATE #2: Swapped back to Proxy mode. Flow kept giving additional network connection issues.

AnthonyH

Hello dlarson,

 

The issue you are facing closely resembles the tls1.3 hybridized kyber support. Currently the workaround is to swap the policies inspection mode from flow based to proxy based.

Here are some other posts discussing the issue:
https://community.fortinet.com/t5/Support-Forum/Application-Control-and-Web-filter-is-not-blocking-w...
https://community.fortinet.com/t5/Support-Forum/SSL-Deep-Inspection-Google-Chrome/td-p/286352
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filter-is-not-blocking-websites-on-Goo...

Technical Support Engineer,
Anthony.
dlarson
New Contributor II

Thanks for this! We've had some other network issues internally so I'm glad to know it's not a misconfiguration.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors