Hello!
Starting today, we're seeing multiple issues with the SSL DPI breaking quite a few applications in the org, that were working fine as of last week.
I'm having trouble locating any logs or details as to what or why this is occurring.
Some examples are.
And other applications, such as browser add ons and such.
Disable SSL DPI fixes the issue immediately.
Logs are empty
Cert is still valid
Disable security controls individually does nothing
Does anyone have any thoughts, or some additional troubleshooting methods I can take?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
UPDATE: Worked with FortiGate support we swapped from Flow to Proxy we seemed to fix the issue, but it was intermittent today, where it was very consistent before. Still couldn't explain why this suddenly started occurring, but my best guess is from a change I made recently due to a DDOS attack that caused our traffic to route through a third party mitigation service. I had to adjust the MTU to 1476 to alleviate some issues, and my best guess is this somehow had/has issues with Flow-based mode.
I have since reverted back to the default MTU & re-enabled Flow to see if the issue is resolved.
Per tech response: "- I informed you that when using deep inspection, proxy-based should be selected for the firewall policy."
UPDATE #2: Swapped back to Proxy mode. Flow kept giving additional network connection issues.
Hello dlarson,
The issue you are facing closely resembles the tls1.3 hybridized kyber support. Currently the workaround is to swap the policies inspection mode from flow based to proxy based.
Here are some other posts discussing the issue:
https://community.fortinet.com/t5/Support-Forum/Application-Control-and-Web-filter-is-not-blocking-w...
https://community.fortinet.com/t5/Support-Forum/SSL-Deep-Inspection-Google-Chrome/td-p/286352
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filter-is-not-blocking-websites-on-Goo...
Thanks for this! We've had some other network issues internally so I'm glad to know it's not a misconfiguration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.