Explorer

Question

FortiGate and Tor

Forum|Forum|2 years ago
November 1, 2023
5 replies
5541 views

Hello,

Is it possible to monitor Tor traffic using Fortinet products such as FortiGate? For example, is it possible to find out which website a user goes to through Tor?

Thank you.

FortiGate

srajeswaran

Staff

Please check https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-and-monitoring-Tor-traffic/ta-p/196239

xshkurti

Staff

@hack3rcon
When you enable tor sensors to monitor traffic, Tor connection will not work. It will be blocked by Fortigate because of Deep inspection.
Tor browser seem to not accept fortigate deep inspection certificate, thus not creating a connection to Tor network. But in this case you will be able to see which site or IP it tries to connect.

hack3rconAuthor

Explorer

Hello,

Thank you so much for your reply.

You said "But in this case you will be able to see which site or IP it tries to connect.", so, I can see that the client runs the Tor on the network and what sites it visits through the Tor. Am I right?

xshkurti

Staff

@hack3rcon

You will see the IP that Tor browser will try to create first connection.
When you open Tor browser, it tries to connect to Onion network, and starts to establish a connection.
Now Fortigate needs deep inspection enabled otherwise it wont recognize application used and sites visited.
Deep inspection requires usage of FortiGate certificate. Tor browser does not accept that, thus causing connection to not establish.

In Forward logs you will be able to see first IP that is supposed to give access to onion net. But since Tor is not able to connect to onion net, then no websites are browsed and nothing is shown in fortigate.

Hope this explanation is clear

hack3rconAuthor

Explorer

Hello,
Thank you so much again for your reply.
Your answer raised other questions for me:

1- You said "Deep inspection requires usage of FortiGate certificate.", so, the FortiGate can only see the IP address of the Tor entry node. Can we conclude that the FortiGate either blocks the Tor or allows it to pass through?

2- Regarding the FortiGate certificate, is this the certificate that the FortiGate injects into the network traffic? For example, something similar to a certificate in web browsers.

3- If the deep inspection enabled, then can FortiGate see the usernames and passwords that are entered on websites such as Yahoo! And Gmail?

xshkurti

Staff

@hack3rcon

Let's put it this way.
1. You are using a normal browser to navigate to internet. Use a policy with deep inspection in Fortigate.
Fortigate will use it's certificate to decrypt all traffic, scan make decisions based on the findings, encrypt and send it to server side. For client to accept this connection and not think for a MIDM, it needs to have Fortigate certificate installed. This is because client will see fortigate as server side.
Fortigate in this case will create 2 sessions, Client - Fortigate and Fortigate -Server.
On normal browser, you can install fortigate certificate as trusted root authority and creating ssl/tls sessions.
On tor browser, as far as i know, it is difficult to install certificates. This means that Fortigate will allow or deny traffic based on policy configuration, but Tor browser will not trust fortigate, resulting in session not being created.

2. You are right, this is the certificate used to be injected into network traffic

3. In deep inspection traffic is decrypted, so normally you can see usernames and passwords, but there is no way to extract that information, because decryption happens in hardware level and there is not possible for user to view traffic passing through, unless you configure some port mirroring for decrypted traffic as described in this link:
Technical Tip: Mirroring SSL inspected traffic - Fortinet Community

Regards,

@xshkurti

hack3rconAuthor

Explorer

Hello,
Thanks again.
Consider a company that uses FortiGate and FortiWeb devices:

1- How can the company install this certificate? Do they have to install it on the users web browser?

2- How can you determine if the administrator of these devices has activated deep inspection or not?

3- If deep inspection is not enabled, and I log into Yahoo! Or Gmail, the device administrator can't find my email password, but can he\she see my email name? For example, he\she notice that my Yahoo! email is example@yahoo.com.

xshkurti

Staff

@hack3rcon

1. Yes, they have to install it on users web browser

2. If you are not administrator of those devices, it is out of this community scope to give instructions on how to find what type of services has admin activated. ;)

3. If deep inspection is not activated, your web browsing data is not visible (including emails and passwords)

Regards,

@xshkurti

xshkurti

Staff

@hack3rcon
1. Certificate installation is done by admin on users pc.
This means that different methods may be used: manually from client's desktop or via GPO if pc is member of a domain, or via powershell remote execution again if pc is member of a domain or if any other MDM solution is in place for Central PC management

2. Yes you are right, that is a way to know if there is any certificate installed on your PC.
Other ways would be to check through windows MMC snapins

If you have found this as a solution, please like and accept it to make it easily accessible for others.

Regards!

@xshkurti

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded