Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Forti_Newbie
New Contributor

Created on ‎09-22-2022 03:37 AM

FortiGate's option "Inspect All Ports" affect traffic

Hello!

Anybody knows how "Inspect All Ports" option in SSL/SSH-inspection profile works? I didn't find detailed information about this option. When I turn off "Inspect All Ports" FortiGate lose about 200K sessions from CDN (Content Delivery Network) for 2 of 10 web-applications. CDN download static content via this sessions. Users start to get 5xx error when try to open web-application, but on FortiGate I don't see drops in logs or sessions reset in the traffic dump. When I turn on "Inspect All Ports" again sessions is back and all web-applications work fine. Looks like FortiGate can't process that amount session by internal proxy. I have FortiOS 7.0.6 and proxy-mode for all policies.

Labels:
1396
0 Kudos
8 REPLIES 8
jintrah_FTNT
Staff
Staff

Created on ‎09-22-2022 04:31 AM

Hi,

What was the number of concurrent sessions on the device before changes? And what is the hardware model?

 

Best regards,

Jin

1390
0 Kudos
Forti_Newbie
New Contributor
In response to jintrah_FTNT

Created on ‎09-26-2022 05:35 AM

Hi,

before changes the number of concurrent sessions was 300-400k concurrent sessions. After that about 50K. Hardware model is 1100E

1373
0 Kudos
jintrah_FTNT
Staff
Staff
In response to Forti_Newbie

Created on ‎09-26-2022 06:15 AM

Hi,

 

That hardware is much more capable FortiGate 1100E Series Data Sheet (fortinet.com)

So it appears the switching the modes are altering the traffic from flow to proxy mode, and the existing sessions could not be proxied from the middle of an ongoing session.

 

best regards,

Jin

1368
0 Kudos
Forti_Newbie
New Contributor
In response to jintrah_FTNT

Created on ‎09-26-2022 08:32 AM

So how can I resolve this issue? I thought if sessions could not be proxied from the middle of an ongoing session,they are dropped and established again

1362
0 Kudos
jintrah_FTNT
Staff
Staff
In response to Forti_Newbie

Created on ‎09-26-2022 10:43 PM

Yes, they can be reestablished if the clients reinitiates the session immediately or wait for its own tcp timeout to reinitiate again.

 

best regards,

Jin

 

1357
0 Kudos
Forti_Newbie
New Contributor

Created on ‎09-28-2022 09:10 AM

Yes, I think you're right. But where are this sessions? As I wrote before when I turn off "Inspect All Ports" FortiGate lose about 200K sessions from CDN and users start to get 5xx error when try to open web-application. It means that CDN try to create new sessions, but I don't see drops or other error on the FortiGate

1345
0 Kudos
jintrah_FTNT
Staff
Staff
In response to Forti_Newbie

Created on ‎09-28-2022 09:38 AM

Users are getting 5xx errors indicating there is no gateway connectivity upon attempts further. So if these sessions are still being initiated and logging of other types of traffic is enabled, we may see them in logs.  You may open a support ticket with config and sniffers for validation.

 

best regards,

jin

1342
0 Kudos
sferoz
Staff
Staff

Created on ‎09-28-2022 05:42 PM

Good Day,

Thank you for using the Community Forum. 

 

In addition to the above, you can check if there are any drops on the interface level. 

 

 #diag hardware deviceinfo nic 

or

#fnsysctl ifconfig portxx (xx port number)

 
Thanks,
Feroz

1334
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.