Showing results for 
Search instead for 
Did you mean: 

FortiGate Application Control profile breaks AP Management connection

New Contributor II
I have a remote office that is connected via a private 20Mbps x 20Mbps Metro Ethernet connection.

In our main office the connection terminates on a Layer 3 switch and inside this network is the Ruckus virtual SmartZone Essentials controller.

At the remote office the connection terminates on a FortiNet firewall (v6.0.3 firmware) and in this office is a single Ruckus R710 AP.

This has been configured this way for months, but last week I wanted more visibility of what traffic was traversing this connection, so I enabled the Application Control profile on the Policy of the FortiGate.

When I have the Application Control profile active, the AP losses its SSH management tunnel to the controller.  Remove it, and the tunnel comes back up.

On the FortiGate, the Application Control profile is only set to "monitor" the "Network Services" category which covers SSH.

To be more specific, the Application Control profile is not set to "Block" any category only monitor them.

Is there some other protocol at work here that, by possibly not being known or directly defined within Application Control profile could be being blocked?

For now, we have removed the Application Control from that Policy, but I would like to get this working.

New Contributor III
If you run a debug flow packet capture before and after enabling App. Control what do you see? 

Contributor III
One thing to watch out is that FortiGate could be detecting that the SSH session is using tunneling and blocking it. I've had issues with FortiGate even in "monitor" as it somehow messes up SSH sessions and for example, would cause my SSH client to disconnect from a server as soon as I would enable tunneling.

I would try to create a bypass rule that just marks traffic on port 22 towards SmartZone as "allowed"  or try to make it bypass the application control.

Take a look at the fortigate SSH inspection details:

might want to disable them...

Creating a specific bypass rule worked.
Not the best way of handling it, I will acknowledge, but sometimes you just have to cut your loses and move on.