Troubleshooting Tip: The Dropbox desktop app does not work when Deep Inspection is enabled on the FortiGate Firewall Rule

gonzalezw · ‎03-28-2024

Description

This article describes that the Dropbox desktop app does not work when Deep Inspection is enabled on the FortiGate Firewall Rule.

Scope

FortiGate and Windows OS.

Solution

When installing the Dropbox desktop app on a Windows machine, with deep inspection enabled in the firewall policy from LAN to WAN, Dropbox may fail to function. The desktop app does not open or continuously spin without displaying the login screen.

This behavior is typically due to Full SSL inspection being enabled. For more information on the differences between SSL Certificate Inspection and Full SSL inspection, refer to this related article:

Technical Note: Differences between SSL Certificate Inspection and Full SSL Inspection

The Dropbox team recommends whitelisting a list of domains in FortiGate. It is possible to find the list of official Dropbox domains here: https://help.dropbox.com/security/official-domains us

To whitelist these domains in the SSL INSPECTION security profile under 'Exempt from SSL Inspection', follow these steps:

Create addresses objects using the Dropbox Domain list https://help.dropbox.com/security/official-domains as FQDN:

Once each object individually have been created, add them into a single group:

Now that the address group is created, the deep inspection profile will be cloned since the default profile cannot be edited:

Add the group created above to the 'Exempt from SSL Inspection' in the 'SSL/SSH inspection' of the 'Clone of deep-inspection' profile under 'Security Profile' in the firewall.

Select 'OK' to save the changes. Test again on the Windows computer.