Technical Tip: Extended logging for SSL traffic
| Description | This article describes new SSL logging options that provide more details about those connections. |
| Scope | FortiGate running FortiOS 6.4.0+ and 7.0.1+. |
| Solution | In FortiOS 6.4.0, a new option 'set ssl-negotiation-log {enable | disable}' was added to the SSL/SSH profile option set. This new option captures results of unsupported SSL negotiations.
To log unsupported SSL negotiation:
config firewall ssl-ssh-profile edit <name> set ssl-negotiation-log {enable | disable} next end
For reference, see WAD and Proxyd SSL logging improvement.
Starting in FortiOS 7.0.1, new options have been added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.
config firewall ssl-ssh-profile edit <name> set ssl-server-cert-log {enable | disable} set ssl-handshake-log {enable | disable} next end
For for more information, see the following documents:
Important: In order for the SNI and Extended Logging feature to work, it is necessary to reference a Web Filter profile in the Firewall Policy. config firewall policy edit <policy_id> set ssl-ssh-profile "sni-log-profile" set webfilter-profile "Web_Profile_here" next end
The latest options added to FortiOS 7.0.1 are particularly helpful if customer needs further details for reporting purposes, such as TLS version, Key Exchange, SNI, SAN, Certificate Issuer. The new fields are added to the raw logs, which can also be displayed on GUI. To be able to see those new fields on GUI, navigate to 'Log & Report', select SSL, then hover over the title row and click on the gear icon to customize columns as shown in the image below. 
Note: |