Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wcbenyip
New Contributor III

Some https website can' t be accessed...

Hi, Since last day afternoon, it' s so strange that some staff cannot access to the https website like the e-banking, webmail via https...etc. This case is happened since last afternoon, the one would keep failed to access to the same https website if he found it' s failed since last afternoon, but some other https websites are working properly~ Even the same https website he can' t be accessed to, other staff may able to access.... so it' s not talking about the issues of the https website... I have no idea now... even both of the DNS server and FG are rebooted, the result is the same~ Anyone could help and give some direction? Thanks!!
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
22 REPLIES 22
Daniel_Herbon
New Contributor

How did you downgrade? Where did you get the IPS file? Btw, on my two fortigates where everything is working fine, they' re running: 2.00593 The fortigate unit that isn' t working was just updated and is running: 2.00719
rwpatterson
Valued Contributor III

Support gave me the older file. Don' t let those other 2 update.... FYI: Check here...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Reply from support:
Dear customer, Thank you for these links. This false positive is just triggered on some SSLv3 packets. If your web browser uses TLS protocol, this false positive won' t happen. We' ll fix it in next engine. For now, you have to disable it. Best Regards, Fortinet IPS - Peixue

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Daniel_Herbon
New Contributor

Unfortunately my first experience with Fortinet support isn' t turning out to be a good one. Day 4 of this problem now since it was discovered. I' ve referenced this thread and your ticket several times. I' ve requested a previous definition several times yet the guy working my ticket just doesn' t seem to care. I configured a Cisco ASA5505 with the same incoming/outgoing rules as my 200A. When I plug my network into the ASA5505, everyone in the office can browse without any problems. I plug it back into my 200A those same sites become unaccessible. Hopefully I' ll get a resolution soon or I' ll have to switch back to using Cisco devices.
rwpatterson
Valued Contributor III

Open up (pass) Freegate proxy in application control, and you should be good to go until the next IPS update.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Well, I see a new IPS signature has been uploaded. When I go to the page to check what was changed (a couple of posts before this one) the page is blank. 2.721 still has the false positive issue as far as I can tell. Started getting hits as soon as I updated... ADDED - After 30 minutes, there are far lass false hits than before, so it' s better, just not close to perfect yet... Could just be that traffic is light at 7:00 AM here. ADDED #2 - Seems like old times. Still have the same amount of false positives...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Hooray! Seems like 2.722 did the trick. False hits stopped on 12/4 14:18 EST, and that' s the date when they released 2.722. Looks like a done deal here.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Greetings! Im having some HTTPS issues as well. We have two 110C, in active-active cluster, working in v4.0,build0185,091020 (MR1 Patch 1) firmware version. We are testing a Protection Profile configured with Deep Scan active in HTTPS Content Filtering Mode. We need this feature up because i cant block HTTPS sites (like gmail or orkut, for example) with URL filter or even with Application Control, in some cases when the user is granted to acess Gmail, but not Google Talk. The thing is: when i set Deep Scan active, some HTTPS sites (mostly banking) doesn' t work and MSN users can' t log on. Anybody using Deep Scan who can give me some help?
rwpatterson
Valued Contributor III

icrema, welcome to the forums. Your issue doesn' t seem to be the exact same one. Try starting a new thread to get better exposure. Daniel What did the application control log tell you? That' s where I found that the Freegate proxy was giving false positives.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Daniel_Herbon
New Contributor

I was having the exact same issue. My issue was never resolved. As you can see in my posts above, my 200A ran perfectly for 6 months. Then something changed over Thanksgiving break and we started having all sorts of HTTPS sites blocked as well as msn and other various sites. After a week of troubleshooting, my company could no longer afford to be blocked from banking sites so I ended up replacing the 200A with a backup Cisco ASA 5505 and everything works fine. At this point support has instructed me to reset the firewall to factory defaults and reconfigure it back to how it was before Thanksgiving. I haven' t had the time yet to reset it to factory.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors