Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

SSL Deep Inspection broken?

Hello Community,

 

I have the following constellation:

 

I have Fortigate that connects to the internet via SDWAN with two or ore isp and with Health Check enabled. Works fine so far.

I have a policy that allows clients coming from a subnet connected to the FGT to connect to the internet.

It is not limited by shaper or services but it does have utm features enabled: webfilter, urlfilter and ssl deep inspection (for to filtr https pages). This also used to work fine.

 

Until I upgraded to 5.6.11 or higher :\

from 5.6.11 on ssl deep inspection stopped working. It is still enabled but users keep getting only SSL_PROTOCOL_ERROR when they try to acces https pages.

I opened a ticket with TAC and send them my config. They said config is fine and they cannot reproduce it. Also I did a test in a non productive subnet on one Site and failed to reproduce the issue too. It worked fine here.

 

But as I turned SSL deep inspection back on for the productive subnets the clients again encountered the above issue :\

 

Does anyone have any idea or advice about what could cause this?

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5 REPLIES 5
boneyard
Valued Contributor

did you do your tests with the same client(s)? as they seem to stand out here. do they still trust the correct CA certificate? is there something else on those clients (security software that checks for SSL tampering) or in the network towards to FortiGate?

sw2090

hm yes clients know our CA and trust it.

I tested on a vm in the same subnet (but different ip range within that subnet) withoout problems.

The only thing I still a not sure atm is if on that vm there was our antivirus suite deployed.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090

ok I've resteded this here on my client that has the very same av suite installed. I encountered no problems with deep inspection here s far. So seems not to be blamed on the av suite.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
boneyard
Valued Contributor

so say your clients are in subnet 10.10.0.0/16

 

you have a firewall policy 10.10.0.0/16 to internet with SSL deep / full inspection

 

these clients have an inspection problem

 

if you setup a VM ware in the same 10.10.0.0/16 then it works fine?

 

i really would recheck those clients then, because if the above is the case then the difference is in the clients, not in the FortiGate or its config.

sw2090

To stay with your example, boneyard:

 

clients are in 10.10.0.0/24

there is a policy 10.10.0.0/24 to internet via sd-wan with webfilter and SSL Deep Inspection enabled.

these clients have the issue I mentioned.

For testing I now used my client here (as windows and av is the same). Let's say my client has 10.10.0.1.

So I created a policy 10.10.0.1 to internet via sd-wan with webfilter and SSL Deep Inspetion enabled. I placed this before the above policy to have it match first (as policies are first come first serve).

On my Client everything worked fine. I didn't encounter the above issue with Deep Inspection.

 

I also did the same at annother side before just wth a vm instead of a physical client. Thus the vm has the same setup, it is just a virtual client for testing purposes. I did not encounter the issue there too.

 

What now came to my mind is that this could be a 5.6.11 only issue since in the meantime I've upgraded some FGT to 6.0.7 (or now to 6.0.8). Among those is ours here where my client is connected.

So could be that this is gone in  6.x probably. I might have to test this again when I've finished updating all FGT and the adom in Fortimanager. Before that I cannot roll out anything centrally.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors