Fortigate Version : 7.2.8
Strange thing we are seeing is that everytime there is a blocked connection to a destination - could be via any of the security profile, Fortigate initiates a local traffic to the same destination. The traffic does get denied eventually but what could be the reason for this behaviour.
I have put a screenshot of the example. Line 2 and 3 are the user initiated forward traffic and Line 1 and 4 are local traffic initiated from the fortigate itself. Its a vdom based setup - that is the reason for multiple line of logs.
Solved! Go to Solution.
Yes, the probes need to work. If the current routing/SD-WAN setup may cause the TLS probes to egress via an interface where they would be dropped, you can manually select an egress interface for them.
The configuration commands are listed here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-interface-for-IPS-TLS-protocol-a...
Can you double-click on lines 1 & 4 to show more details?
This is taking a SDWAN outbound rule towards the Hub site and then going out to internet from there. But I dont think that is the concern here. This traffic should never have originated from the local fortigate itself.
When FG originates this traffic, is the sent to the IP of the remote IPsec peer or any public address?
It is sent to the public IP address.
Modern FortiOS versions perform so-called "TLS probes". These are separate connections towards the client-requested (web)server, done in order to retrieve the server's certificate for purposes of webfiltering,etc.
This is required primarily for TLS 1.3, where the server-certificate is transported already encrypted, and completely passive inspection would not reveal it. (but note that TLS 1.3 is not a requirement for the function to trigger, this is done with 1.2 as well nowadays)
You can stop these probes if you completely remove/disable UTM in your firewall policies, but that is probably not desirable. :)
Does this then require a rule to allow such traffic for webfilter to function correctly? The original traffic (client to internet) was denied by UTM even though the TLS probes (Fortigate to Server) did not go through. Makes me wonder if it needs the TLS probe to return something for UTM to function correctly.
In my case these traffic are hitting my SDWAN rule and reaching Hub where the TLS probe traffic is denied.
Yes, the probes need to work. If the current routing/SD-WAN setup may cause the TLS probes to egress via an interface where they would be dropped, you can manually select an egress interface for them.
The configuration commands are listed here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-interface-for-IPS-TLS-protocol-a...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1771 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.