Skip to content

Fortinet FortiGate (FortiOS)

The RTA requires one outbound connection: OpenVPN over TCP/443 to connect.remotetesting.secureworks.com. Even when a general "allow outbound 443" policy exists, FortiGate can silently break this connection in two ways:

  1. SSL deep inspection intercepts and re-terminates TLS, resetting the OpenVPN session.
  2. Application Control identifies the flow as the OpenVPN application (or rejects non-HTTPS traffic on port 443) and drops it.

Both exemptions are required.

Note

See Firewall troubleshooting overview for general guidance on how to determine which firewall feature is blocking the RTA, and Troubleshooting overview for all RTA troubleshooting topics.

1. Create an FQDN address object

Create a reusable address object for the RTA endpoint so you can reference it consistently in inspection profiles and policies.

GUI: Policy & Objects > Addresses > Create New > Address

Field Value
Name rta-connect-secureworks
Type FQDN
FQDN connect.remotetesting.secureworks.com
Interface Any

CLI:

config firewall address
    edit "rta-connect-secureworks"
        set type fqdn
        set fqdn "connect.remotetesting.secureworks.com"
        set comment "RTA OpenVPN endpoint"
    next
end

2. Exempt from SSL inspection

SSL/SSH deep inspection will intercept the OpenVPN handshake and terminate the tunnel. You have two options — choose one.

Option A: Add an exemption to the SSL/SSH inspection profile

This keeps deep inspection active for other traffic while excluding the RTA destination.

GUI: Security Profiles > SSL/SSH Inspection > open the profile applied to outbound traffic > Exemptions tab > Create New

Field Value
Address rta-connect-secureworks (select the object created above)
Ports 443

CLI (replace deep-inspection with your actual profile name):

config firewall ssl-ssh-profile
    edit "deep-inspection"
        config ssl-exempt
            edit 0
                set type address
                set address "rta-connect-secureworks"
            next
        end
    next
end

Option B: Use certificate-inspection on the firewall policy

Create a dedicated firewall policy for the RTA destination and apply the built-in certificate-inspection profile instead of deep-inspection. Certificate inspection validates the server certificate without re-terminating TLS, so OpenVPN passes through unmodified.

GUI: Policy & Objects > Firewall Policy > the policy covering outbound traffic from the RTA segment > set SSL Inspection to certificate-inspection (or create a narrower policy scoped to rta-connect-secureworks that references certificate-inspection).

Tip

Option B is the simpler path on appliances where editing the global deep-inspection profile is not permitted. Scoping it to a dedicated policy also avoids unintended side-effects on other traffic.

3. Allow the OpenVPN application

FortiGuard Application Control includes a signature named OpenVPN (category: Network Services or VPN, depending on the FortiGuard database version installed). If an Application Control profile applied to outbound traffic is set to block or monitor-and-drop this signature, the RTA tunnel will not establish.

GUI: Security Profiles > Application Control > open the profile applied to outbound traffic > locate OpenVPN (use the search box) > set Action to Allow.

Alternatively, add an application override:

Application Control profile > Application Overrides tab > Add Signatures > search for OpenVPN > set Action to Allow.

CLI (replace default with your actual app-control profile name):

config application list
    edit "default"
        config entries
            edit 0
                set application 15832
                set action pass
            next
        end
    next
end

Note

The FortiGuard application ID for OpenVPN may vary with database versions. Use diagnose application list | grep -i openvpn on the CLI, or search by name in the GUI, to confirm the current ID on your appliance.

If your outbound policy for this destination does not reference any Application Control profile, no action is needed here.

4. Verify

From a host on the same network segment as the RTA, confirm TCP/443 reaches the endpoint:

nc -vz connect.remotetesting.secureworks.com 443

A successful result looks like:

Connection to connect.remotetesting.secureworks.com 443 port [tcp/https] succeeded!

Then confirm the RTA tunnel itself comes up and stays up (no repeated reconnects in the RTA management console). On the FortiGate, check:

  • Log & Report > Forward Traffic — confirm the session for connect.remotetesting.secureworks.com:443 shows action accept and is not immediately closed.
  • Log & Report > Application Control — confirm no block events for the OpenVPN application from the RTA source address.

If the connection is accepted but resets after a few seconds, SSL inspection is still intercepting the session — revisit Step 2.