Hello!
Anybody knows how "Inspect All Ports" option in SSL/SSH-inspection profile works? I didn't find detailed information about this option. When I turn off "Inspect All Ports" FortiGate lose about 200K sessions from CDN (Content Delivery Network) for 2 of 10 web-applications. CDN download static content via this sessions. Users start to get 5xx error when try to open web-application, but on FortiGate I don't see drops in logs or sessions reset in the traffic dump. When I turn on "Inspect All Ports" again sessions is back and all web-applications work fine. Looks like FortiGate can't process that amount session by internal proxy. I have FortiOS 7.0.6 and proxy-mode for all policies.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
What was the number of concurrent sessions on the device before changes? And what is the hardware model?
Best regards,
Jin
Hi,
before changes the number of concurrent sessions was 300-400k concurrent sessions. After that about 50K. Hardware model is 1100E
Hi,
That hardware is much more capable FortiGate 1100E Series Data Sheet (fortinet.com)
So it appears the switching the modes are altering the traffic from flow to proxy mode, and the existing sessions could not be proxied from the middle of an ongoing session.
best regards,
Jin
So how can I resolve this issue? I thought if sessions could not be proxied from the middle of an ongoing session,they are dropped and established again
Yes, they can be reestablished if the clients reinitiates the session immediately or wait for its own tcp timeout to reinitiate again.
best regards,
Jin
Yes, I think you're right. But where are this sessions? As I wrote before when I turn off "Inspect All Ports" FortiGate lose about 200K sessions from CDN and users start to get 5xx error when try to open web-application. It means that CDN try to create new sessions, but I don't see drops or other error on the FortiGate
Users are getting 5xx errors indicating there is no gateway connectivity upon attempts further. So if these sessions are still being initiated and logging of other types of traffic is enabled, we may see them in logs. You may open a support ticket with config and sniffers for validation.
best regards,
jin
Good Day,
Thank you for using the Community Forum.
In addition to the above, you can check if there are any drops on the interface level.
#diag hardware deviceinfo nic
or
#fnsysctl ifconfig portxx (xx port number)
Thanks,
Feroz
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.