Hi,
I recently implemented a simple Web Filter Security Policy on our Fortigate 100d which simply blocks some Categories but allows all others. HTTPS Certificate Inspection is also enabled.
We use Webex for Company updates but now none of the users accessing the meetings through the Fortigate can get the Audio stream on their computer. They can access Webex, join and watch the presentation but NO AUDIO??!!
Has anyone else had this problem/know of a fix??
Fortigate 100d running v5.4.0,build1011.
Greetings,
We have FortiGate 900Ds deployed on FortiOS 5.4 and we also ran into this issue. The short term work around is to disable SSL Certificate Inspection. I've opened a ticket with Fortinet Support and I will let you know what we discover while investigating the root cause.
Sincerely,
Brandon Fortino
Thanks Brandon - I'll be interested to hear the outcome!
We seem to be getting some other issues too (Play Store on Andriod phones, some email issues etc.). The Web Filtering doesn't seem to be as simple as the Fortigate Cookbook and Videos suggest!!!!
I am surprised that Google searches don't seem to come up with any useful hits or fixes either. Do people not use the UTM functions?!
Will do! I did some searches as well before opening a Fortinet support ticket - which I haven't had time to work with them yet due to some project deadlines. I don't see many reports of this (and there is a CLI method to add companies to the SSL Inspection exclusion list for when it does happen. My suspicion is that this is a 5.4.0 issue. When the traffic is blocked or dropped there are no logs generated that I can find. My company is in the process of ripping and replacing our entire international corporate network to keep pace with our rapid growth. At the time we started our RFP I had never heard of Fortinet. Fortinet has focused on the very large and small office markets in the past, and I'd mostly worked in medium enterprise environments. Having used Cisco ASAs, Juniper SRXs, Sonicwall, and WatchGuard I'd learned to stay away from UTM firewall features.
UTM for most vendors is tacked on to their stateful engines (ip/port rules) as an after thought - and performance severely degrades. Fortinet (seems to have) built their firewalls from the ground up to support UTM. As an engineer the biggest feature for me (and why we went with Fortinet) is that they use specially designed hardware chips to accelerate their UTM features. We've purchased multiple FortiGates, the FortiManager, FortiAnalyzer, FortiAuthenticator, FortiEMS and we are preparing to roll out FortiClient to replace our VPN and endpoint security clients.
That said, the 5.4 code branch is a big jump from 5.2. For example, 5.2.6 is very mature. I was warned by Fortinet to be extremely cautious deploying 5.4.0 into production. You might want to wait until 5.4.1, and stick with 5.2.6 in the mean time. The 5.4 feature set and UI is the best I've ever seen in a firewall, but there will be bugs. I recommend keeping 5.4.0 in the test lab unless you are willing to be a launch customer - and expect to have your "name" on several bug patches. Some engineers like that idea (like me) - most don't. Same as you would with a major Cisco or Juniper code branch launch.
In case you are worried - for most tasks you will never have to touch the CLI unless you prefer it. I can scan for blocked traffic, identify the source and destination, capture packets, and then create a firewall rule (or lecture an end user) without ever-having to drop into the CLI. If you want to change say - the OSPF reference bandwidth, (I'm a network engineer), that's when you would be forced to hit the CLI.
Sincerely,
Brandon Fortino
If you don't want to downgrade to 5.2.6 you can try this - http://kb.fortinet.com/kb/documentLink.do?externalID=FD35371
I'm not sure if the syntax has changed between 5.2.X and 5.4.X though.
bfortino wrote:Greetings,
We have FortiGate 900Ds deployed on FortiOS 5.4 and we also ran into this issue. The short term work around is to disable SSL Certificate Inspection. I've opened a ticket with Fortinet Support and I will let you know what we discover while investigating the root cause.
Sincerely,
Brandon Fortino
Hi Brandon,
Did you ever get a fix for this????
Dave_60uk
Not sure if you found a solution but this is what I did:
Create a Wildcard FQDN object for *.webex.com
Edit your SSL Inspection profile and add the above object as an exception
Regards,
Don
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.