Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Whiteoaks
New Contributor

Facebook Messenger APP not able to send\receive messages with DPI

Hi,

We have a 80F firewall we are wanting to put into production but need to be able to troubleshoot these types of issues reliably. We have deep packet inspection turned on with a CA certificate approved by our AD CS (no warning messages when visiting websites). 

Facebook Messenger application is unable to send\receive messages however messenger.com works fine without issue. If we add facebook.com to the exception list the Facebook messenger application begins to work as well. 

What may we be able to do to have these types of issues work without beginning to add a bunch of exemptions into our SSL inspection - defeating the purpose of the firewall. 

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello Whitoaks,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

Could you please tell me which version is your FortiGate-80F please?

 

Thanks a lot in advance.

 

Regards,

Anthony-Fortinet Community Team.
davidmuray
New Contributor

It is good that you have deep packet inspection enabled and a CA certificate approved by the AD CS. Still, it can be frustrating when some applications work differently than expected. Remember that the Facebook Messenger app may use a different SSL certificate or encryption method than the one used by messenger. This could be the cause of a firewall issue. Another option is to consider alternative messenger apps that prioritize security and privacy. I found Jtwhatsapp https://terezast.com/the-safest-messengers-for-pcs-and-smartphones/ a couple of weeks ago, and I am thrilled, as these apps are great for confidential conversations. Good luck, and let us know if you find a solution!

Debbie_FTNT
Staff
Staff

Hey Whiteoaks,

 

DPI can have some limitations, especially if the connection you're trying to inspect uses HSTS - in that case, it's not really possible to do deep inspection as the certificate replacement would be noticed, and the connection refused (with HSTS, the client expects specific certificates signed by specific certificate authorities, and the FGT certificate, though signed by a trusted CA, would still not be accepted, because the certificate would NOT come from the specified authority)

-> a lot of facebook-related websites and applications use HSTS to my knowledge, so you might be running into that issue? Unfortunately there isn't really a good solution for this :\

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors