Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
szuko
New Contributor III

Created on ‎01-22-2022 10:58 PM

Outbound-Decryption

HI THERE ,i have really big problem , im doing  Outbound SSL decryption  with deep packet inspection on my fortigate , i have 10G connection , but when i use deep packet inspection my download speed limits to 200kbs or something near that, my upload is just work fine , and when ever i put SSL Profile to no inspection it gets fixed . i dont have any overhead on my device. what the problem could be ? Thanks in advanced.

3934
0 Kudos
1 Solution
AlexC-FTNT
Staff
Staff
In response to szuko

Created on ‎01-27-2022 02:37 AM

And what is your policy mode? Is it in proxy or flow?

Is it the same in both situations? (should be proxy-)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

3869
9 REPLIES 9
AlexC-FTNT
Staff
Staff

Created on ‎01-25-2022 12:26 AM

It seems that you are using a SoC unit (low-end series/smaller units, up to 200 Series) that lacks the processing power or dedicated CPU (CP8/CP9) for SSL decryption. There might be limitations to the bandwidth used, so that the processor (that handles all the operations) does not reach top usage with only one connection


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
3874
szuko
New Contributor III

Created on ‎01-26-2022 04:47 AM

hi there, im using 200f, and i think it has dedicated cpu for decryption

3855
0 Kudos
AlexC-FTNT
Staff
Staff
In response to szuko

Created on ‎01-26-2022 04:50 AM

in that case you probably need to check the traffic in a packet capture, looking for retransmissions, errors, etc. And if you still don't see any, then opening a support case may be the way to go.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
3853
szuko
New Contributor III
In response to AlexC-FTNT

Created on ‎01-26-2022 11:18 PM

Thank you for putting time  and helping me . acctually after packet capture i have lot of retransmission, duplicated packet, and sometime out of order, but mostly retransmissions , so the slow speed is cuz of that ? , what i can do in order to fix this ? thanks

3840
0 Kudos
szuko
New Contributor III
In response to szuko

Created on ‎01-27-2022 12:02 AM

forti.PNG

 here is glance of wireshark cap

 

3839
0 Kudos
AlexC-FTNT
Staff
Staff
In response to szuko

Created on ‎01-27-2022 12:07 AM

Not everything there is necessarily an error. If the traffic is passing multiple interfaces, the packet analyzer interprets them as errors. Try to redo the capture only on the wan interface. 
Most common cause for packet retransmissions is network congestion. So the link quality should be checked (start with local cables, connectors, ISP router if exists).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
3837
szuko
New Contributor III
In response to AlexC-FTNT

Created on ‎01-27-2022 01:57 AM

The traffic is going out from one interface , to our core router,  i dont think there is anything faulty such as cable or conncetors,because when i turn off the ips profile , it get fixed . no any spurious retranssmiton or anyother  of the logs thati have shown , and prefect speed, i even tried the IPS profile only with 1 signutaure and still same result

3831
0 Kudos
AlexC-FTNT
Staff
Staff
In response to szuko

Created on ‎01-27-2022 02:37 AM

And what is your policy mode? Is it in proxy or flow?

Is it the same in both situations? (should be proxy-)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
3870
szuko
New Contributor III

Created on ‎01-26-2022 05:29 AM

btw my cpu process is under 5 %

3852
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.