Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wcbenyip
New Contributor III

Created on ‎11-24-2009 10:42 PM

Some https website can' t be accessed...

Hi, Since last day afternoon, it' s so strange that some staff cannot access to the https website like the e-banking, webmail via https...etc. This case is happened since last afternoon, the one would keep failed to access to the same https website if he found it' s failed since last afternoon, but some other https websites are working properly~ Even the same https website he can' t be accessed to, other staff may able to access.... so it' s not talking about the issues of the https website... I have no idea now... even both of the DNS server and FG are rebooted, the result is the same~ Anyone could help and give some direction? Thanks!!
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
10703
0 Kudos
23 REPLIES 23
Daniel_Herbon
New Contributor

Created on ‎12-01-2009 12:42 PM

How did you downgrade? Where did you get the IPS file? Btw, on my two fortigates where everything is working fine, they' re running: 2.00593 The fortigate unit that isn' t working was just updated and is running: 2.00719
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to Daniel_Herbon

Created on ‎12-01-2009 01:00 PM

Support gave me the older file. Don' t let those other 2 update.... FYI: Check here...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to rwpatterson

Created on ‎12-03-2009 05:22 AM

Reply from support:
Dear customer, Thank you for these links. This false positive is just triggered on some SSLv3 packets. If your web browser uses TLS protocol, this false positive won' t happen. We' ll fix it in next engine. For now, you have to disable it. Best Regards, Fortinet IPS - Peixue

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
Daniel_Herbon
New Contributor

Created on ‎12-03-2009 12:41 PM

Unfortunately my first experience with Fortinet support isn' t turning out to be a good one. Day 4 of this problem now since it was discovered. I' ve referenced this thread and your ticket several times. I' ve requested a previous definition several times yet the guy working my ticket just doesn' t seem to care. I configured a Cisco ASA5505 with the same incoming/outgoing rules as my 200A. When I plug my network into the ASA5505, everyone in the office can browse without any problems. I plug it back into my 200A those same sites become unaccessible. Hopefully I' ll get a resolution soon or I' ll have to switch back to using Cisco devices.
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to Daniel_Herbon

Created on ‎12-03-2009 12:46 PM

Open up (pass) Freegate proxy in application control, and you should be good to go until the next IPS update.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to rwpatterson

Created on ‎12-04-2009 03:50 AM

Well, I see a new IPS signature has been uploaded. When I go to the page to check what was changed (a couple of posts before this one) the page is blank. 2.721 still has the false positive issue as far as I can tell. Started getting hits as soon as I updated... ADDED - After 30 minutes, there are far lass false hits than before, so it' s better, just not close to perfect yet... Could just be that traffic is light at 7:00 AM here. ADDED #2 - Seems like old times. Still have the same amount of false positives...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to rwpatterson

Created on ‎12-07-2009 06:00 AM

Hooray! Seems like 2.722 did the trick. False hits stopped on 12/4 14:18 EST, and that' s the date when they released 2.722. Looks like a done deal here.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
Not applicable

Created on ‎12-18-2009 05:58 AM

Greetings! Im having some HTTPS issues as well. We have two 110C, in active-active cluster, working in v4.0,build0185,091020 (MR1 Patch 1) firmware version. We are testing a Protection Profile configured with Deep Scan active in HTTPS Content Filtering Mode. We need this feature up because i cant block HTTPS sites (like gmail or orkut, for example) with URL filter or even with Application Control, in some cases when the user is granted to acess Gmail, but not Google Talk. The thing is: when i set Deep Scan active, some HTTPS sites (mostly banking) doesn' t work and MSN users can' t log on. Anybody using Deep Scan who can give me some help?
1821
0 Kudos
rwpatterson
Valued Contributor III
In response to

Created on ‎12-18-2009 06:43 AM

icrema, welcome to the forums. Your issue doesn' t seem to be the exact same one. Try starting a new thread to get better exposure. Daniel What did the application control log tell you? That' s where I found that the Freegate proxy was giving false positives.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1821
0 Kudos
Daniel_Herbon
New Contributor

Created on ‎12-18-2009 06:34 AM

I was having the exact same issue. My issue was never resolved. As you can see in my posts above, my 200A ran perfectly for 6 months. Then something changed over Thanksgiving break and we started having all sorts of HTTPS sites blocked as well as msn and other various sites. After a week of troubleshooting, my company could no longer afford to be blocked from banking sites so I ended up replacing the 200A with a backup Cisco ASA 5505 and everything works fine. At this point support has instructed me to reset the firewall to factory defaults and reconfigure it back to how it was before Thanksgiving. I haven' t had the time yet to reset it to factory.
1821
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.