Skip to main content
LaurentDumont
LaurentDumont
New Member
August 20, 2019
Solved

80C - Enabling SSL Inspection

  • August 20, 2019
  • 1 reply
  • 3375 views

Hey everyone,

Currently attempting to enable SSL inspection/MITM on a 80C and it doesn't seem to be working.

[ul]
  • I have a single FW rule for the outgoing NAT traffic.
  • I don't see the FGT certificate being presented to hosts browsing HTTPS sites behind the FW. I am seeing the traffic hitting the correct policy.
  • It doesn't have a license. It's just for testing stuff in a lab.
  • Running v5.6.3 build1547 (GA)[/ul]

    Relevant configurations : Security profile : https://i.imgur.com/lT5y8aL.png FW rule with applied profile : https://i.imgur.com/u3OwQAw.png Traffic hitting the FW and the correct policy : https://i.imgur.com/Pvx5pPC.png

    Is the SSL inspection feature behind the paid license? Anything else I could try to properly tshoot this?

    Let me know if there is anything else I can provide.

    Thanks!

      • Best answer by orani

      What do you mean that it is not working.

      You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

      1 reply

      orani
      oraniAnswer
      New Member
      August 20, 2019

      What do you mean that it is not working.

      You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

      LaurentDumont
      LaurentDumontAuthor
      New Member
      August 21, 2019

      orani wrote:

      What do you mean that it is not working.

      You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

      That was it! I tried with a dummy web filter and it does intercept the SSL traffic now.

       

      I am now trying to dump the decrypted SSL traffic. I've bolded the relevant commands. That said, I am not seeing any traffic on that interface. Anything else I should try?

       

      FGT-LAURENT-DREAMHACK # show firewall policy 1 config firewall policy edit 1 set name "ssl-inspection" set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set ssl-mirror enable set ssl-mirror-intf "wan2" set webfilter-profile "web-filter-flow" set profile-protocol-options "default" set ssl-ssh-profile "test-all" set nat enable next end

       

      Thanks!

      Terms & ConditionsAccessibility statement