Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: FortiOS 5.2 Web Filter SSL 1.0
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2 Web Filter SSL 1.0
Wondering if anyone is having the same issue. I did raise a ticket with fortinet, but they close the ticket saying that they didnt think there was an issue and that i should reload the firmware and roll back if it breaks anything...........
As i dont have a test lab. I wanted to see if anyone has encountered this before i go ahead.
It seems that on FortiOS 5.2 when you do " SSL Certificate Inspection" and you are using the web filter categories, something does not work if the website has got a certificate which is TLS 1.0
All it does is it " hangs" until the request times out. Looking on the fortianalyzer logs, the request was " allowed" but nothing is shown on the computer browser.
I had a cluster of 2 fortigates 60c on the latest 5.0 patch. And it was all working fine.
I recently upgraded the cluster to fortigates 100D and ive also upgraded the firmware to 5.2
I re-worked all the policies pretty much from scratch to make sure they were imported correctly into the new firmware.
While Certificate inspection is on, only websites which have got a TLS of 1.1 or higher work. Websites with a TLS of 1.0 seem to timeout with no outcome at all on the browser. When turning SSL inspection off for port 443. these websites start working straight away.
example of websites that wont load.
https://online.sesame.co.uk/Pages/default.aspx
https://exweb.exchange.uk.com/Public/Login/logDefault.aspx
https://www.business.hsbc.co.uk/1/2/bib
https://broker.nemo-loans.co.uk/Login.aspx
I have got TLS 1.0, 1.1 and 1.2 enabled for all browsers.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I just tested at home on a FGT60D, and all works fine (with default profile). I tried with mode proxy and flowbase.
Can you export the web filter and ssl interception profile you use in your policy ? like this I can import the same in my lab.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never seen such issues as well. Our certificate-inspection profile is also allowing invalid certificates, if that makes the difference.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @hklb
This should be all the config needed to mimic mine on yours.
config webfilter profile
edit " MonitorUserActivity"
set comment " log all user activity"
set inspection-mode flow-based
config override
set ovrd-user-group " "
end
config web
set safe-search url
set log-search enable
end
config ftgd-wf
set options error-allow
set category-override 146 142
config filters
edit 105
set category 146
next
edit 62
set category 140
next
edit 63
set category 141
next
edit 26
set category 83
set action block
next
edit 22
set category 5
set action block
next
edit 19
set category 1
set action block
next
edit 23
set category 6
set action block
next
edit 6
set category 12
set action block
next
edit 20
set category 3
set action block
next
edit 21
set category 4
set action block
next
edit 25
set category 62
set action block
next
edit 24
set category 59
set action block
next
edit 27
set category 7
set action block
next
edit 28
set category 9
set action block
next
edit 29
set category 64
set action block
next
edit 30
set category 2
set action block
next
edit 31
set category 15
set action block
next
edit 32
set category 11
set action block
next
edit 33
set category 66
set action block
next
edit 34
set category 57
set action block
next
edit 35
set category 13
set action block
next
edit 36
set category 8
set action block
next
edit 37
set category 14
set action block
next
edit 38
set category 63
set action block
next
edit 39
set category 67
set action block
next
edit 40
set category 65
set action block
next
edit 41
set category 16
set action block
next
edit 42
set category 24
set action block
next
edit 43
set category 19
set action block
next
edit 44
set category 75
set action block
next
edit 45
set category 76
set action block
next
edit 46
set category 72
set action block
next
edit 47
set category 25
set action block
next
edit 48
set category 26
set action block
next
edit 49
set category 61
set action block
next
edit 50
set category 86
set action block
next
edit 67
set category 17
next
edit 68
set category 29
next
edit 69
set category 18
next
edit 70
set category 77
next
edit 71
set category 82
next
edit 72
set category 71
next
edit 73
set category 85
next
edit 74
set category 54
next
edit 75
set category 30
next
edit 76
set category 28
next
edit 77
set category 58
next
edit 51
set category 20
set action block
next
edit 52
set category 40
set action block
next
edit 78
set category 33
next
edit 53
set category 69
set action block
next
edit 79
set category 34
next
edit 54
set category 55
set action block
next
edit 80
set category 35
next
edit 81
set category 36
next
edit 82
set category 70
next
edit 83
set category 87
next
edit 84
set category 48
next
edit 85
set category 80
next
edit 55
set category 38
set action block
next
edit 86
set category 78
next
edit 87
set category 39
next
edit 88
set category 79
next
edit 89
set category 42
next
edit 56
set category 37
set action block
next
edit 90
set category 44
next
edit 91
set category 46
next
edit 92
set category 47
next
edit 57
set category 68
set action block
next
edit 58
set category 23
set action block
next
edit 93
set category 53
next
edit 94
set category 49
next
edit 95
set category 31
next
edit 96
set category 43
next
edit 97
set category 51
next
edit 98
set category 52
next
edit 99
set category 50
next
edit 100
set category 41
next
edit 101
set category 81
next
edit 102
set category 56
next
edit 103
set category 84
next
edit 104
next
end
end
next
end
config firewall ssl-ssh-profile
edit " ssl-check"
config ssl
set allow-invalid-server-cert enable
end
config https
set ports 443
set status certificate-inspection
set allow-invalid-server-cert enable
end
config ftps
set ports 990
set status disable
set allow-invalid-server-cert enable
end
config imaps
set ports 993
set status disable
set allow-invalid-server-cert enable
end
config pop3s
set ports 995
set status disable
set allow-invalid-server-cert enable
end
config smtps
set ports 465
set status disable
set allow-invalid-server-cert enable
end
config ssh
set ports 22
set status disable
end
next
end
config firewall policy
edit 94
set uuid f06d4a84-038a-51e4-868e-3dd494a82a08
set srcintf " port9"
set dstintf " wan1"
set srcaddr " Internal Data Network"
set dstaddr " all"
set action accept
set schedule " always"
set service " Web Access" " NTP" " Email Access"
set utm-status enable
set fsso enable
set groups " FSSO_Users" " SSO_Guest_Users"
set av-profile " default"
set webfilter-profile " MonitorUserActivity"
set dlp-sensor " DLP_Reassured"
set application-list " Block Apps - Users"
set profile-protocol-options " default"
set ssl-ssh-profile " ssl-check"
set traffic-shaper " low-priority"
set traffic-shaper-reverse " low-priority"
set nat enable
next
end
config application list
edit " Block Apps - Users"
config entries
edit 1
set category 19
next
edit 2
set category 8
next
edit 3
set category 6
next
edit 4
set category 22
next
edit 5
set category 7
next
edit 6
set category 24
next
edit 7
set category 1
next
edit 8
set category 2
next
edit 9
set category 23
next
edit 10
set category 21
set technology 1 4
next
end
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting... ive just turned it ON again just to see if i could see something on the Network tab of the chrome dev tools... but the pages are now working OK.... and ive not done any config changes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 5.2 code from my experience is a little wonky.
I rolled back to 5.0.9 to hold out until it gets a little bit better.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Ask - Use Fortigate - Web... 66 Views
- FG30E - restrict youtube not working 96 Views
- SSL Deep Inspection not working with... 192 Views
- Fortimanager is pushing weird configurations ? 78 Views
- How can I upgrade the firmware... 66 Views
Labels
-
FortiGate
8,525 -
FortiClient
1,724 -
5.2
801 -
FortiManager
717 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
463 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
201 -
5.0
196 -
IPsec
191 -
FortiNAC
181 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
85 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
40 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
NAT
32 -
SSO
31 -
Interface
31 -
RADIUS
30 -
FortiConnect
28 -
FortiLink
27 -
FortiWAN
26 -
VDOM
26 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1666 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.