FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
The FortiGate unit blocks a Smart-Phone accessing RSS feeds on port 80 (HTTP).
Components
All FortiGate units.
Smart-Phones or handheld devices using RSS feeds.
Steps or Commands
Issue
When a user uses a Smart-Phone to access RSS feeds, the FortiGate HTTP proxy allows TCP handshake for non HTTP traffic. As soon the
data transfer begins, the FortiGate unit blocks the traffic because the proxy does not recognize it.
This is expected behavior. Since the dropped packets are not HTTP traffic, but are using TCP port 80 to communicate with the server, the proxy will block them.
Solution
In most cases, the solution is to use a firewall policy without
a protection profile (no proxy enabled) with the RSS server's Fully Qualified Domain Name (FQDN) as the destination address.
There has been cases where the RSS server (www.avantgo.com for example) had a different IP resolved by the DNS, than the Smart-Phone. A fixed destination address
(which Smart-Phones use) was used.
