FortiGate Application Control profile breaks AP Management connection

  • 1
  • Question
  • Updated 2 years ago
I have a remote office that is connected via a private 20Mbps x 20Mbps Metro Ethernet connection.

In our main office the connection terminates on a Layer 3 switch and inside this network is the Ruckus virtual SmartZone Essentials controller.

At the remote office the connection terminates on a FortiNet firewall (v6.0.3 firmware) and in this office is a single Ruckus R710 AP.

This has been configured this way for months, but last week I wanted more visibility of what traffic was traversing this connection, so I enabled the Application Control profile on the Policy of the FortiGate.

When I have the Application Control profile active, the AP losses its SSH management tunnel to the controller.  Remove it, and the tunnel comes back up.

On the FortiGate, the Application Control profile is only set to "monitor" the "Network Services" category which covers SSH.

To be more specific, the Application Control profile is not set to "Block" any category only monitor them.

Is there some other protocol at work here that, by possibly not being known or directly defined within Application Control profile could be being blocked?

For now, we have removed the Application Control from that Policy, but I would like to get this working.
Photo of Dave Christianson

Dave Christianson

  • 4 Posts
  • 1 Reply Like
  • Frustrated

Posted 2 years ago

  • 1
Photo of pmonardo

pmonardo, Employee

  • 36 Posts
  • 22 Reply Likes
If you run a debug flow packet capture before and after enabling App. Control what do you see? 
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 131 Posts
  • 52 Reply Likes
One thing to watch out is that FortiGate could be detecting that the SSH session is using tunneling and blocking it. I've had issues with FortiGate even in "monitor" as it somehow messes up SSH sessions and for example, would cause my SSH client to disconnect from a server as soon as I would enable tunneling.

I would try to create a bypass rule that just marks traffic on port 22 towards SmartZone as "allowed"  or try to make it bypass the application control.

Take a look at the fortigate SSH inspection details:

might want to disable them...
Photo of Dave Christianson

Dave Christianson

  • 4 Posts
  • 1 Reply Like
Creating a specific bypass rule worked.
Not the best way of handling it, I will acknowledge, but sometimes you just have to cut your loses and move on.