Fortigate 100E Deep Packet Inspection - DPI Performance Issues
Fortigate 100E Deep Packet Inspection - DPI Performance Issues
We have two Fortigate 100E devices, each at a different site, that have problems when DPI is turned on. We've opened a case for each with support, but haven't seen any progress on resolution. I want to share here in case anyone has any insight on this...maybe something you saw and solved without engaging Fortinet support.
FW 1 Issue Description.
We've been experiencing a problem with deep inspection where all websites time out unless we switch to certificate inspection. A firewall reboot will temporarily resolve the issue, but it returns within 10 days or so. CPU and memory are both completely fine (CPU under 10% and memory under 60%).
This configuration ran fine with no issues with deep inspection for probably close to two years. Issue started after updating from 5.4 to 5.6.7. We then updated to 6.0.4 to try and remedy the issue per Fortinet's recommendation but the issue keeps returning every 10 to 14 days.
FW 2 Issue Description.
This firewall was new in October and implemented using 6.0.3
We are experiencing issues when enabling SSL Deep Packet Inspection for domain users in a single 100E, 40-50 user environment.We had a separate policy with SSL DPI enabled for 4-6 users for a couple weeks with zero issues.Then I turned it on for all users (same policy just a different user group), and after about 4-5 hours, all outbound internet stops working for users on all sites, exceptions or not.We have to revert back to certificate inspection only as it causes major interruptions. We can't reproduce on a single machine because it only breaks under more of a load on the firewall.
Thanks for any experience of suggestions you have,
Troy
We have two Fortigate 100E devices, each at a different site, that have problems when DPI is turned on. We've opened a case for each with support, but haven't seen any progress on resolution. I want to share here in case anyone has any insight on this...maybe something you saw and solved without engaging Fortinet support.
FW 1 Issue Description.
We've been experiencing a problem with deep inspection where all websites time out unless we switch to certificate inspection. A firewall reboot will temporarily resolve the issue, but it returns within 10 days or so. CPU and memory are both completely fine (CPU under 10% and memory under 60%).
This configuration ran fine with no issues with deep inspection for probably close to two years. Issue started after updating from 5.4 to 5.6.7. We then updated to 6.0.4 to try and remedy the issue per Fortinet's recommendation but the issue keeps returning every 10 to 14 days.
FW 2 Issue Description.
This firewall was new in October and implemented using 6.0.3
We are experiencing issues when enabling SSL Deep Packet Inspection for domain users in a single 100E, 40-50 user environment.We had a separate policy with SSL DPI enabled for 4-6 users for a couple weeks with zero issues.Then I turned it on for all users (same policy just a different user group), and after about 4-5 hours, all outbound internet stops working for users on all sites, exceptions or not.We have to revert back to certificate inspection only as it causes major interruptions. We can't reproduce on a single machine because it only breaks under more of a load on the firewall.
Thanks for any experience of suggestions you have,
Troy
There is also two inspection modes:
- flow inspection mode (takes a snapshot and check)
- proxy mode inspection (reconstructs content passing through the FortiGate unit and inspects)
May test out if issue happens during this two mode or just proxy mode which is likely your case.
Also for the profile, will have to review the SSL option too.
-Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
-Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
Likewise if the issue will happen for the general case or the more specific to the server. The latter is use especially when the server has each a specific certificate (FG act asa reverse proxy) as compared to the multiple client (FG acts as forward proxy).
There is also another option on SSH Deep Scan feature which is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying it.
- flow inspection mode (takes a snapshot and check)
- proxy mode inspection (reconstructs content passing through the FortiGate unit and inspects)
May test out if issue happens during this two mode or just proxy mode which is likely your case.
Also for the profile, will have to review the SSL option too.
-Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
-Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
Likewise if the issue will happen for the general case or the more specific to the server. The latter is use especially when the server has each a specific certificate (FG act asa reverse proxy) as compared to the multiple client (FG acts as forward proxy).
There is also another option on SSH Deep Scan feature which is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying it.
ASKER
We're going to install a 200E temporarily with DPI on. This will allow us to better evaluate and test the 100E.
TT
TT
I think the challenge is how to make sure these appliance really run through being tested towards high load of SSL traffic inspection. And, always have HA as these inline traffic may need to be fail open so as not to be bottleneck
Hello,
What is traffic volume during the issue time and what security profiles are applied on the policies.
What is traffic volume during the issue time and what security profiles are applied on the policies.
ASKER
Myramu,
I will ask my Team for the specifics on this.
Troy
I will ask my Team for the specifics on this.
Troy
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Netwerk traffic is unpredictable, and you only need to tip it over the edge to get it to block.
Also think about what DPI for SSL does. You need to Decrypt & Encrypt all packets. (and you also will need to change the certificate in the process.).
Some websites do setup some verification if there is a MITM attack being done. (Like required fingerprint checks, Key pinning, ...) if that is done some site will become unreachable.
(DPI behaves the same as a MITM attack, TBH it IS a MITM (Man in the Middle) attack.)