Hi All,
I'm getting a lot of help desk tickets with stuff like "It looks like mathsbot.com closed the connection" (one of many sites!) I use deep packet inspection.
I've tried pretty much every option on the profile to change that, but the only thing that seems to work is adding the site (or the relevant category) to the SSL exceptions. I'm getting enough of these tickets for it not to be sustainable.
Any ideas anyone? (I do need DPI, educational institutions)
Cheers
Jon
#fortigate
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jon
Which FortiOS version?
Hi there,
v7.2.8 build1639
Cheers
Jon
Hello Jon,
What is the inspection mode used on the policy , please provide complete screenshot of the error.
Thanks
Inspection mode is Proxy.
The error message is exactly what I put - "It looks like xyz.com closed the connection" (with a Edge graphic or similar)
Cheers
Jon
To address the issue of frequent help desk tickets related to sites like "mathsbot.com" closing the connection despite using deep packet inspection, consider creating a custom SSL/TLS inspection profile where you selectively exempt specific categories or websites prone to such issues, ensuring a balance between security and usability for educational institutions. This approach can help reduce the number of tickets while maintaining the necessary level of security.
Thanks Salon Raj Joshi
I'm getting this too frequently to do it for every site or category. I'll end up exempting all the sites that I'm wanting to look at from a DPI perspective.
any specific error you are getting in SSL event logs on FGT
SSL Deep Inspection can break certain websites, especially if they use non-standard SSL/TLS configurations.
The DPI feature inspects and re-encrypts traffic, which some sites might not support, causing the connection to fail.
While adding sites or categories to the SSL exceptions list works, it’s not ideal if you have a lot of sites.
However, exceptions might be necessary for websites that don’t work well with DPI.
Instead of adding many sites to exceptions, consider creating custom DPI profiles that allow more flexibility.
For example, you can disable certain checks like SSL certificate validation for specific sites or only apply DPI to certain traffic types.
If the issues are widespread and affecting many users, you might also want to check the SSL Forward Proxy settings.
This can help reduce issues with SSL decryption by managing the way certificates are handled.
You can review the logs to identify which sites or categories are causing the most issues.
Based on this, you might be able to fine-tune DPI settings to avoid interruptions.
Can you share the cli config of the related ssl inspection profile?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.