Description
The TLS active probe needs to initiate connections from the FortiGate itself.
It's just a regular TLS client which connects to the server and retrieves the server information.
It's essential for the functionality of Application Control and Webfilter which must apply to verified hostname (SNI) from TLS ClientHello.
The TLS timeout is 5 seconds.
In cases when the TLS probe fails, the loading time of the Webpage can be significantly increased (more than 5 seconds).
The TLS probe can fail due to bad routing in the case of Transparent VDOMs, SDWAN setup, or when the secondary IP address is used for the Internet.
Scope
Slow webpage load when web filter profile is enabled under the policy configuration.
For version 6.2.6 and above, version 6.4.4 and above.
Troubleshooting:
CLI commands:
diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable
Debug output that shows TLS timeout:
eng_debug_log: Probe failed: unable to connect
Solution
In such a scenarios, the Customer can manually configure the outgoing interface, source IP, and vdom for the
IPS TLS active probe connection.
CLI Commands.
# config ips global
# config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> <----- When method 'specify'
set vdom <vdom name> <----- When method 'sdwan' or 'specify'
set source-ip <source_ipv4> <----- When method 'sdwan' or 'specify'
set source-ip6 <source_ipv6> <----- When method 'sdwan' or 'specify'
end
end
set interface-select-method: Specify how to select an outgoing interface to reach the server.
auto <----- Set outgoing interface automatically.
sdwan <----- Set outgoing interface by SD-WAN or policy routing rules.
specify <----- Set outgoing interface manually.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.