FortiOS 5.2 Web Filter SSL 1.0

Nicolas_Marengo · ‎08-29-2014

Wondering if anyone is having the same issue. I did raise a ticket with fortinet, but they close the ticket saying that they didnt think there was an issue and that i should reload the firmware and roll back if it breaks anything........... As i dont have a test lab. I wanted to see if anyone has encountered this before i go ahead. It seems that on FortiOS 5.2 when you do " SSL Certificate Inspection" and you are using the web filter categories, something does not work if the website has got a certificate which is TLS 1.0 All it does is it " hangs" until the request times out. Looking on the fortianalyzer logs, the request was " allowed" but nothing is shown on the computer browser. I had a cluster of 2 fortigates 60c on the latest 5.0 patch. And it was all working fine. I recently upgraded the cluster to fortigates 100D and ive also upgraded the firmware to 5.2 I re-worked all the policies pretty much from scratch to make sure they were imported correctly into the new firmware. While Certificate inspection is on, only websites which have got a TLS of 1.1 or higher work. Websites with a TLS of 1.0 seem to timeout with no outcome at all on the browser. When turning SSL inspection off for port 443. these websites start working straight away. example of websites that wont load. https://online.sesame.co.uk/Pages/default.aspx https://exweb.exchange.uk.com/Public/Login/logDefault.aspx https://www.business.hsbc.co.uk/1/2/bib https://broker.nemo-loans.co.uk/Login.aspx I have got TLS 1.0, 1.1 and 1.2 enabled for all browsers.

hklb · ‎08-29-2014

Hello, I just tested at home on a FGT60D, and all works fine (with default profile). I tried with mode proxy and flowbase. Can you export the web filter and ssl interception profile you use in your policy ? like this I can import the same in my lab.

netmin · ‎08-29-2014

I have never seen such issues as well. Our certificate-inspection profile is also allowing invalid certificates, if that makes the difference.

Nicolas_Marengo · ‎09-01-2014

Thanks @hklb This should be all the config needed to mimic mine on yours. config webfilter profile edit " MonitorUserActivity" set comment " log all user activity" set inspection-mode flow-based config override set ovrd-user-group " " end config web set safe-search url set log-search enable end config ftgd-wf set options error-allow set category-override 146 142 config filters edit 105 set category 146 next edit 62 set category 140 next edit 63 set category 141 next edit 26 set category 83 set action block next edit 22 set category 5 set action block next edit 19 set category 1 set action block next edit 23 set category 6 set action block next edit 6 set category 12 set action block next edit 20 set category 3 set action block next edit 21 set category 4 set action block next edit 25 set category 62 set action block next edit 24 set category 59 set action block next edit 27 set category 7 set action block next edit 28 set category 9 set action block next edit 29 set category 64 set action block next edit 30 set category 2 set action block next edit 31 set category 15 set action block next edit 32 set category 11 set action block next edit 33 set category 66 set action block next edit 34 set category 57 set action block next edit 35 set category 13 set action block next edit 36 set category 8 set action block next edit 37 set category 14 set action block next edit 38 set category 63 set action block next edit 39 set category 67 set action block next edit 40 set category 65 set action block next edit 41 set category 16 set action block next edit 42 set category 24 set action block next edit 43 set category 19 set action block next edit 44 set category 75 set action block next edit 45 set category 76 set action block next edit 46 set category 72 set action block next edit 47 set category 25 set action block next edit 48 set category 26 set action block next edit 49 set category 61 set action block next edit 50 set category 86 set action block next edit 67 set category 17 next edit 68 set category 29 next edit 69 set category 18 next edit 70 set category 77 next edit 71 set category 82 next edit 72 set category 71 next edit 73 set category 85 next edit 74 set category 54 next edit 75 set category 30 next edit 76 set category 28 next edit 77 set category 58 next edit 51 set category 20 set action block next edit 52 set category 40 set action block next edit 78 set category 33 next edit 53 set category 69 set action block next edit 79 set category 34 next edit 54 set category 55 set action block next edit 80 set category 35 next edit 81 set category 36 next edit 82 set category 70 next edit 83 set category 87 next edit 84 set category 48 next edit 85 set category 80 next edit 55 set category 38 set action block next edit 86 set category 78 next edit 87 set category 39 next edit 88 set category 79 next edit 89 set category 42 next edit 56 set category 37 set action block next edit 90 set category 44 next edit 91 set category 46 next edit 92 set category 47 next edit 57 set category 68 set action block next edit 58 set category 23 set action block next edit 93 set category 53 next edit 94 set category 49 next edit 95 set category 31 next edit 96 set category 43 next edit 97 set category 51 next edit 98 set category 52 next edit 99 set category 50 next edit 100 set category 41 next edit 101 set category 81 next edit 102 set category 56 next edit 103 set category 84 next edit 104 next end end next end config firewall ssl-ssh-profile edit " ssl-check" config ssl set allow-invalid-server-cert enable end config https set ports 443 set status certificate-inspection set allow-invalid-server-cert enable end config ftps set ports 990 set status disable set allow-invalid-server-cert enable end config imaps set ports 993 set status disable set allow-invalid-server-cert enable end config pop3s set ports 995 set status disable set allow-invalid-server-cert enable end config smtps set ports 465 set status disable set allow-invalid-server-cert enable end config ssh set ports 22 set status disable end next end config firewall policy edit 94 set uuid f06d4a84-038a-51e4-868e-3dd494a82a08 set srcintf " port9" set dstintf " wan1" set srcaddr " Internal Data Network" set dstaddr " all" set action accept set schedule " always" set service " Web Access" " NTP" " Email Access" set utm-status enable set fsso enable set groups " FSSO_Users" " SSO_Guest_Users" set av-profile " default" set webfilter-profile " MonitorUserActivity" set dlp-sensor " DLP_Reassured" set application-list " Block Apps - Users" set profile-protocol-options " default" set ssl-ssh-profile " ssl-check" set traffic-shaper " low-priority" set traffic-shaper-reverse " low-priority" set nat enable next end config application list edit " Block Apps - Users" config entries edit 1 set category 19 next edit 2 set category 8 next edit 3 set category 6 next edit 4 set category 22 next edit 5 set category 7 next edit 6 set category 24 next edit 7 set category 1 next edit 8 set category 2 next edit 9 set category 23 next edit 10 set category 21 set technology 1 4 next end next end

Nicolas_Marengo · ‎09-01-2014

Interesting... ive just turned it ON again just to see if i could see something on the Network tab of the chrome dev tools... but the pages are now working OK.... and ive not done any config changes

MikePruett · ‎09-11-2014

The 5.2 code from my experience is a little wonky. I rolled back to 5.0.9 to hold out until it gets a little bit better.

Mike Pruett

Fortinet GURU | Fortinet Training Videos