Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
#!/bin/bash for i in {0..20} ; do dig +short dsn$i.skype-dsn.akadns.net; done | sort | uniqIf you don' t want to enter all 107 unique Skype addresses into the firewall, you can come close by using these class C' s: 111.221.74.0/24 111.221.77.0/24 157.55.130.0/24 157.55.235.0/24 157.55.56.0/24 157.56.52.0/24 213.199.179.0/24 64.4.23.0/24 65.55.223.0/24 (Credit to http://pingtool.org/block-skype-connection/ for the script and address info.) Just put them as destination addresses in a separate policy that does not have SSL inspection turned on. I realize these are static addresses and that Skype addresses are potentially dynamic. However, the above addresses have been stable for at least the last year or two. For me, that' s good enough for a temporary work-around.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
I've been in a dialog with tech support on this issue.
There are some issues with scanning SSL connections using a proxy connection. If you switch to using flow mode for your scanning, Skype will work. This is for 5.0.7, but I imagine this works for 5.2 as well.
You can also turn off port 443 scanning in 5.0.7, and it should default to certificate scanning at that point.
Ultimately, there will be changes coming down to 5.4 and beyond that will address some of these issues. We need a function to whitelist an app (like Skype), and I believe this is in the works.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Hi, The 5.2 and 5.4 versions already have exempts for microsoft and skype in the default SSL inspection profile, but the address *.messenger.live.com for skype seems to be outdated. Please try following: 1. Create additional Wildcard FQDN addresses: *.skype.com *.skype.net
*.trouter.io 2. Add these addresses to the exempt address list of your SSL inspection profile along with existing 'skype', 'live.com' and 'microsoft' 3. Assign this SSL inspection profile to your policy It works for me on v5.4.2
Microsoft may change IPs and DNS names, so if this happen again, open a Wireshark, set filter to 'dns' and monitor DNS requests, then add new wildcards to your exempt list.
Best regards, Ivo
Hi, The 5.2 and 5.4 versions already have exempts for microsoft and skype in the default SSL inspection profile, but the address *.messenger.live.com for skype seems to be outdated. Please try following: 1. Create additional Wildcard FQDN addresses: *.skype.com *.skype.net
*.trouter.io 2. Add these addresses to the exempt address list of your SSL inspection profile along with existing 'skype', 'live.com' and 'microsoft' 3. Assign this SSL inspection profile to your policy It works for me on v5.4.2
Microsoft may change IPs and DNS names, so if this happen again, open a Wireshark, set filter to 'dns' and monitor DNS requests, then add new wildcards to your exempt list.
Best regards, Ivo
Yeah, skype is smart and used it's own certs at the application level....it knows when we are snooping.
Mike Pruett
ikoimecs wrote:Thanks for that, works like a charm !!!1. Create additional Wildcard FQDN addresses: *.skype.com *.skype.net
*.trouter.io
Ivo
Yes what ikoimecs post is good even FTNT has a kb out that uses known ranges & even a script that does this.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD37470
Keep in mind thet *.wildcard-FQDN iirc are not doable in FortiOS 5.0 or 5.2
Ken
PCNSE
NSE
StrongSwan
Perhaps "strange" ports non specifically allowed in the upper policies?
i have applied all Services.
still the same; Connecting sign and stop.
Perform a debug flow 'till you find the session blocked by the implicit deny.
Hello Again
i tried the web.skype.com; it works perfect every time.
so there is something with the application and the SSL/SSH Inspection.
if anyone know how to fix it. please help.
thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.