| Description |
This article describes that is not possible to access certain websites when Web Filter (or any security profiles) is enabled in Explicit Proxy policy. When the Web Filter is removed from the policy, the website is accessible. This can be seen in networks whereby the wan interface is using jumbo frame MTU values. |
| Scope | FortiGate. |
| Solution |
Non-working scenario wireshark packet captures (Web Filter Enabled on the Explicit Proxy policy):
Here, the SYN packet to the server/website has an MSS Value of 9176 and the SYN/ACK has an MSS Value of 1117. The client device then sends a TLS Client Hello packet but does not receive a Server Hello, which causes the TLS handshake to fail so connectivity to the server/website cannot be established.
Working scenario Wireshark packet captures (Web Filter Disabled on the Explicit Proxy policy):
After disabling the web filter from the explicit proxy policy, the SYN packet to the server/website has an MSS value of 1460 and the SYN/ACK response has an MSS Value of 1117. The Client Hello is then sent from the client and the server responds with a Server Hello. The TLS Handshake is then able to form and connectivity to the server/website can be established successfully.
Another way to fix this is by tuning the TCP MSS value of the proxy policy. Unfortunately, unlike a regular firewall policy, the TCP MSS value of a proxy policy cannot be tuned.
In this case, the TCP-MSS value can only be tuned on the interface level, refer this related KB article: Technical Tip: How to tune TCP maximum segment size in explicit proxy FortiGate |
