I ran into an issue that a working web filter is not working anymore on several sites when the connection between two sites is switched to IPSEC VPN instead of a native MPLS link.
So
Working situation:
Site B -> MPLS Link -> Site A -> Policy with Web Filter -> Internet
Non working situation:
Site B -> IPSEC VPN -> Site A -> Policy with Web Filter -> Internet
As soon as i disable the web filter in the IPSEC config problem sites are working properly. When routed over VPN these sites stop working.
Anyone any clue what can cause this issue?
Both Fortigates are running on FortiOS 5.6.5
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I have exactly the same issue between a Fortigate 100D (V5.6.3) and Fortigate 61E (v5.6.4 build1575 (GA).
An IPSec VPN Tunnel is established between the 2 Fortigate, and all the traffic including web browsing pass through it.
All access rules are managed on the 100D in our Datacenter. Webfiltering is enabled for traffic from non vpn sites to internet and everything works fine.
On the zone vpn sites to internet, as soon as I enable Webfilter, it is impossible to reach a website.
Does anyone have a clue ?
Thanks a lot.
Hi Gerald,
I have some info for you after some extensive troubleshooting today.
You can workaround this problem when you change the web filter from proxy based to flow based scanning.
So probably you can use that as workaround as we did.
Fortinet is currently researching why this issue arrises when using proxy based web filters in combination with ipsec vpn backhauls for internet traffic.
I will inform you when i get feedback from Fortinet support.
Please let me know if this flow based workaround is workable for you.
If you would like to open a ticket at Fortinet you may refer to my case number : #3028085
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
all Internet or specified site? There are match with your policy?
A lot of sites don't work properly. Some simple sites work.
Fortinet has researched this problem and found out this is an issue with the filter in combination with fragmented packets. For now i have decreased the MTU size to 1300 after which the filter works properly
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.