Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vagnerdtl
New Contributor II

Created on ‎01-15-2025 07:37 AM

Hight SSL Negotiation time, when web filter Security profile has enable

Hey Guys

 

We are facing Hight SSL Negotiation time, when WEB filter profile has enable on the rule at Security Profile.

When we disable de WEB Filter profile on the rule, the SSL Time improve considerable .

To test i'm using this curl command, for google website. But this issue occur with any destination address

curl —resolve www.google.com.br:443:142.250.219.131 -w "DNS_resolution: %{time_namelookup}| TCP_negotiation_time: %{time_connect}| SSL_negotiation_time: %{time_appconnect}| TTFB: %{time_starttransfer}| Total time: %{time_total} \n" -o /dev/null -vsL https://www.google.com.br

When WEB Filter profille is enable the SSL_negotiation_time is more 3 seconds

When WEB Filter profile is disabled  the SSL_negotiation_time is not more tham milliseconds

 

When I check on System ==> Fortiguard  My Web Filter Status is average 123 ms.

 

Someone experienced this same issue ?

Labels:
650
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎01-15-2025 09:51 AM

Hi Vagner

Please try these troubleshooting steps. I'm sure it will help you find the root cause.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-Web-Filtering-problems/ta...

Especially the diag debug part.

AEK

View solution in original post

AEK
582
7 REPLIES 7
adambomb1219
SuperUser
SuperUser

Created on ‎01-15-2025 07:44 AM

Are you decrypting that traffic?  

642
vagnerdtl
New Contributor II
In response to adambomb1219

Created on ‎01-15-2025 09:27 AM

Hi

 

I'm not decrypting.

 

592
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-15-2025 08:16 AM

Hi Vagner

Under System > FortiGuard, try enable Web Filter cache then try "twice" and see if the second attempt has better performance.

AEK
AEK
619
vagnerdtl
New Contributor II
In response to AEK

Created on ‎01-15-2025 09:28 AM

Hi
It's already enabled with 60 minute

590
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-15-2025 09:51 AM

Hi Vagner

Please try these troubleshooting steps. I'm sure it will help you find the root cause.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-Web-Filtering-problems/ta...

Especially the diag debug part.

AEK
AEK
583
vagnerdtl
New Contributor II
In response to AEK

Created on ‎01-20-2025 12:15 PM

 

Hey AEK 


Thank you, this link drove me to solve the issue.
Additional i used that link as well


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-interface-for-IPS-TLS-protocol-a...

I were able to check when i used diagnose command some probe has been failure and some doesn't. When Failure, there is High Latency. When not, doesn't

diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable

[2877@-1]eng_debug_log: Connecting to x.y.v.z:443 (test.test.com.br)

[2877@-1]probe_finish: probe is finished. id: 1127353, sess: 4042465.  <<<<<<======= Probe Works Fine = low Latency

 

At second attempt I experienced Hight Latency more than 3 seconds on SSL connection, and like suggest document the Proble failed   

[2877@-1]eng_debug_log:   Server: x.y.v.z:443

[2877@-1]eng_debug_log:   Probe failed: unable to connect.  <<<<<<===== Proble Failure = High Latency


 So i used: 

diagnose debug rating
Like suggested the link that you send senthttps://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-Web-Filtering-problems/ta...


So just 3 Fortinet Services address were reachable (Flag "D"), all others don't (Flag "F)

 

IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost
12.34.97.71 20 127 DI -5 3714329 0 18578 W
208.184.237.61 50 184 D -8 32184 0 1344 W
173.243.138.91 60 178 D -8 56753 0 1244 W
140.174.22.72 20 0 F -5 170173 170173 170173
12.34.97.72 20 0 F -5 170173 170173 170173
140.174.22.73 20 0 F -5 170173 170173 170173
12.34.97.73 20 0 F -5 170173 170173 170173
12.34.97.74 20 0 F -5 170173 170173 170173
12.34.97.75 20 0 F -5 170173 170173 170173
140.174.22.71 20 0 F -5 170180 170180 170180
194.69.172.31 30 0 F 0 170173 170173 170173
194.69.172.32 30 0 F 0 170173 170173 170173
194.69.172.33 30 0 F 0 170173 170173 170173
209.40.106.91 30 0 F -6 31952 31952 31952
209.40.106.92 30 0 F -6 26192 26192 26192
83.231.212.85 40 0 F 1 170173 170173 170173
83.231.212.86 40 0 F 1 170173 170173 170173
83.231.212.84 40 0 F 1 170173 170173 170173
83.231.212.81 40 0 F 1 170173 170173 170173
83.231.212.82 40 0 F 1 170173 170173 170173
83.231.212.83 40 0 F 1 170173 170173 170173
173.243.138.92 50 0 F -8 170173 170173 170173
173.243.138.93 50 0 F -8 170173 170173 170173
208.184.237.62 50 0 F -8 170172 170172 170172
210.7.96.11 120 0 F 9 170172 170172 170172
210.7.96.12 120 0 F 9 170172 170172 170172
210.7.96.13 120 0 F 9 170172 170172 170172
210.7.96.14 120 0 F 9 170172 170172 170172

 

When i checked my route table, there were only static route (via internet interface) to the these three address that works. For other all there are no route.

That's reason some times works, some time doesnt.

Cause the Firewall use like a round robin feature do balance accross these all address. 

The solution, i have fixed my route table to reacher all these address via internet interface.
There is no flag "F".
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
12.34.97.74 20 124 -5 67715 0 15431 Mon 
12.34.97.72 20 127 -5 58611 0 15438 Mon 
12.34.97.73 20 127 -5 23151 0 15430 Mon 
12.34.97.71 20 127 DI -5 359512 0 3722 Mon 
140.174.22.73 20 131 -5 55354 0 15439 
140.174.22.71 20 135 -5 293970 0 15493 Mon 
140.174.22.72 20 135 -5 19964 0 15426 Mon 
12.34.97.75 20 136 -5 83878 0 15441 Mon 
209.40.106.91 30 142 -6 18312 0 15416 Mon 
209.40.106.94 30 142 -6 18311 0 15415 Mon
209.40.106.93 30 143 -6 18310 0 15414 Mon 
209.40.106.92 30 144 -6 18310 0 15414 Mon
194.69.172.32 30 201 0 18310 0 15414 Mon
194.69.172.33 30 205 0 18310 0 15414 Mon
194.69.172.31 30 206 0 18310 0 15414 Mon 
83.231.212.85 40 208 1 18311 0 15415 Mon 
83.231.212.82 40 208 1 18311 0 15415 Mon 
83.231.212.84 40 208 1 18310 0 15414 Mon 
83.231.212.86 40 210 1 18311 0 15415 Mon
83.231.212.83 40 211 1 18310 0 15414 Mon 
83.231.212.81 40 213 1 18310 0 15414 Mon 
173.243.138.91 50 175 D -8 8312 0 480 Mon 
173.243.138.93 50 177 -8 18311 0 15415 Mon 
173.243.138.92 50 177 -8 18310 0 15414 Mon 
208.184.237.62 50 185 -8 18310 0 15414 Mon 
208.184.237.61 50 186 D -8 7722 0 441 Mon 
210.7.96.13 120 272 9 18310 0 15414 Mon 
210.7.96.12 120 272 9 18310 0 15414 Mon 
210.7.96.14 120 274 9 18310 0 15414 Mon 
210.7.96.11 120 279 9 18311 0 15415 Mon 




 

497
AEK
SuperUser
SuperUser
In response to vagnerdtl

Created on ‎01-20-2025 01:00 PM

Hi Vagner

Glad to see you were able to resolve the issue.

AEK
AEK
480
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.