Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
creserva
New Contributor

Google Drive Application will not Sync/Unable to Connect

When Deep SSL is turned on. I have added Google Drive on Application Sensors, Added on WebFilter drive.google.com with exempt and it still unable to sync. Please advise. Thank you
7 REPLIES 7
Warren_Olson_FTNT

Are you saying you have the rest of *.google.com blocked using webfilter? Google uses a wildcard SSL certificate so if you block google.com it is likely going to block every google site since they all share the same cert over SSL.
creserva
New Contributor

No! *.google.com is not blocked. it similart to this http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/misc_utm_chapter.158.21.html So I thought adding drive.google.com will allow Google Drive Applications sync. I can visit drive.google.com via web but the applications is not connecting exept turning off SSL Deep Scanning.
JerryPWhite1
New Contributor II

I found this to be a workaround but it appears you will be setting the application to http instead of https so if it's secure data it wouldn't be a wise idea.

 

When SSL Decryption is enabled for a site like drive.google.com, the secure connection in the Google Drive app will break due to an invalid security certificate. Unfortunately, the app uses its own certificate instead of sharing the browser’s certificate store. This is known as certificate penning. There is no way to modify the certificate or add certificates in the app itself. The work around, however, is fairly simple. The invalid certificate can be ignored by adding a switch when running the app. The methods below have been tested and seem to be viable. Use any of the following three methods to activate the switch.

1.  Edit the shortcut for the Google Drive and add the switch at the end:       Change C:\Program Files\Google\Drive\googledrivesync.exe to C:\Program Files\Google\Drive\googledrivesync.exe" --unsafe_network   2.  Open a command prompt and navigate to the folder where Google Drive is installed.       At a prompt, run googledrivesync.exe --unsafe_network

3.  You can also push out a registry entry change if Drive Sync is auto starting

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync]. Add the value -unsafe_network after the quote as shown below. "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" --unsafe_network /autostart

 

source = http://support.iboss.com/...ve-desktop-application

Jerry Paul White

Network Engineer/Tech Supervisor

" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"

Jerry Paul White Network Engineer/Tech Supervisor " 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
jsellers

this is not a valid work around when I have 2000 devices on the network.  I can not touch every company owned and privately owned device.

pmit
New Contributor III

You must start Google Drive sync with

googledrivesync.exe --unsafe_network

fran1942
New Contributor

Hello,  this is fine, but I would like to understand why the SSL deep packet exemption for 'Google Drive' doesn't seem to work. If it did, then there would be no need to run the Google Drive app in 'HTTP' mode.

So, what actually is the purpose of the 'Google Drive' SSL deep packet exemption entry that I see there ? i.e. why are we forced to use HTTP mode ?

Thank you kindly.

dmilagros_FTNT

fran1942 wrote:

Hello,  this is fine, but I would like to understand why the SSL deep packet exemption for 'Google Drive' doesn't seem to work. If it did, then there would be no need to run the Google Drive app in 'HTTP' mode.

So, what actually is the purpose of the 'Google Drive' SSL deep packet exemption entry that I see there ? i.e. why are we forced to use HTTP mode ?

Thank you kindly.

 

[ul]
  • Application did not work due a certificate error.  This issue occurs due the drive.google.com site having SSL Decryption enabled, so the Google secure connection for Google Drive app will detect an invalid security certificate. If the FortiGate does not have a valid certificate, the application will not work. Which is this case. Google Sync and Backup desktop application was waiting for google certificate instead of FortiGate certificate.
  • This is because when SSL Decryption is enabled, the FortiGate device receives the external site's certificate and sends its own self-signed certificate to the end client. 
  • When the Google Drive client software, installed on a desktop, attempts to connect to the Google server, it expects to receive a valid certificate from the Google server. With SSL decryption enabled, the Google Drive client receives an untrusted certificate from the FortiGate device and the connection ultimately fails.
  • Google has provided an option to bypass the certificate validation by using a switch “--unsafe_network”.
  • This workaround does not compromise the end client security and data because the certificate bypass is done between the FGT and client, when FortiGate has decrypted the data and it is in the process to deliver it to the client.[/ul]

    Check references below:

    https://kb.fortinet.com/kb/viewContent.do?externalId=FD36816

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors