Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rsaberov43
New Contributor II

Inspect All Ports

hello every one!

Can you help with the Inspect All Ports option.
As far as I know, she is responsible for detecting non-standard ports.
Our applications are deployed on standard ports 80 and 443, but we get a lot of 502 errors on some partitions.
When you include Inspect All Ports 502 the error is eliminated.
Tell me, can this be a bug if applications use standard ports?
Can you send detailed information on this option?

Fortigate 1100E

v.7.0.8

1 REPLY 1
knagaraju
Staff
Staff

Hi rsaberov43,

UTM has two modes of operation: proxy or flow-based.  Both modes support deep-inspection.

It is important to ensure that the SSL/SSH inspection profile is configured correctly for flow-based operation else it may not work as expected.  There are two types of inspection mode for SSL/SSH inspection profile, this article will focus on "Full SSL Inspection", which is also known as deep inspection.

In SSL/SSH inspection profile, once the inspection method is configured for "Full SSL Inspection", there will be an option to "Inspect All Ports" or to only inspect certain commonly known SSL ports such as HTTPS, SMTPS, POP3s  under the "Protocol Port Mapping" option.

If the UTM profile used is a proxy-based. then either option "Inspect All Ports" or only inspect certain port can be used.  However for flow-based, "Inspect All Ports" must be selected else the SSL inspection may not work correctly. The reason is for proxy based, the FortiGate will actively proxy the whole connection and listens on certain ports, thus expecting 443 as HTTPS packet and so on.

However, this is not true for flow-based.  Since flow-based is handled by IPSengine, when SSL is being negotiated, IPSengine will not know which protocol the SSL carries.  Therefore, flow-based UTM will only work with the "Inspect All Ports" option if deep-inspection is needed.


Regards
Nagaraju

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors