- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate SSL Inspection suddenly breaking applications.
Hello!
Starting today, we're seeing multiple issues with the SSL DPI breaking quite a few applications in the org, that were working fine as of last week.
I'm having trouble locating any logs or details as to what or why this is occurring.
Some examples are.
- Printix Printing fails entirely
- Slack - Pasting images fails
- Zoom - Fails to connect to meetings
And other applications, such as browser add ons and such.
Disable SSL DPI fixes the issue immediately.
Logs are empty
Cert is still valid
Disable security controls individually does nothing
Does anyone have any thoughts, or some additional troubleshooting methods I can take?
- Labels:
-
FortiGate
-
SSL SSH inspection
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE: Worked with FortiGate support we swapped from Flow to Proxy we seemed to fix the issue, but it was intermittent today, where it was very consistent before. Still couldn't explain why this suddenly started occurring, but my best guess is from a change I made recently due to a DDOS attack that caused our traffic to route through a third party mitigation service. I had to adjust the MTU to 1476 to alleviate some issues, and my best guess is this somehow had/has issues with Flow-based mode.
I have since reverted back to the default MTU & re-enabled Flow to see if the issue is resolved.
Per tech response: "- I informed you that when using deep inspection, proxy-based should be selected for the firewall policy."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE #2: Swapped back to Proxy mode. Flow kept giving additional network connection issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dlarson,
The issue you are facing closely resembles the tls1.3 hybridized kyber support. Currently the workaround is to swap the policies inspection mode from flow based to proxy based.
Here are some other posts discussing the issue:
https://community.fortinet.com/t5/Support-Forum/Application-Control-and-Web-filter-is-not-blocking-w...
https://community.fortinet.com/t5/Support-Forum/SSL-Deep-Inspection-Google-Chrome/td-p/286352
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filter-is-not-blocking-websites-on-Goo...
Anthony.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this! We've had some other network issues internally so I'm glad to know it's not a misconfiguration.

- « Previous
-
- 1
- 2
- Next »