Skip to main content
filiaks1
filiaks1
Explorer III
May 22, 2025
Question

Fortigate SSL handshake debug for HTTPS traffic and how to see which is the unsupported cipher?

  • May 22, 2025
  • 4 replies
  • 2260 views

Hello to Everyone,

 

 

I am playing with the trial VM and I am wondering except doing tcpdump packetsniffer what are the options to debug ssl hanshake issues like unsuppored ciphers ?

 

I am interested for proxy mode rules and flow mode rules and if there is an option when you enable debug flow simillar to fortiweb  (Diagnosing SSL/TLS handshake failures | FortiWeb 7.6.0 | Fortinet Document Library) to see such information?

 

Maybe also a "debug application" option as mentioned in Solved: debug SSL inspection for flow based vs proxy based... - Fortinet Community as for proxy mode "wad" process is used. I am wondering for the ips and wad what debug to enable to see the ssl handshake.

 

 

I enabled the options in Extended logging for SSL traffic - Fortinet Community and I see unsupported ciphers error for 7.2 that is the last trial VM version having flow and proxy mode and I see the issue with SSL failing for proxy mode. Maybe this is why it is stopped after 7.2 :)

 

 

ssl.png

 

 

4 replies

Yurisk
SuperUser
Yurisk
SuperUser
May 22, 2025

Hi, to your original question - diagnose debug app sslvpn -1 followed by diagnose debug enable

will show you ciphers negotiated.

 

On another note - if you are using free evaluation license, only low/weak encryption is available and so any rule trying to use Deep SSL inspection will not work. 

 

    filiaks1
    filiaks1Author
    Explorer III
    May 23, 2025

    Hey @Yurisk . Thanks for the fast reply. I did not see anything when I enabled diagnose debug app sslvpn -1  and connected to the web server that has https and fortigate emulates the certificate for the clients connecting through it. This seems like a debug command for SSL VPN and for https/ssl flow-based (not proxy based) emulation.

     

    Also I started wondering when using "Protecting an SSL server" that is for inbound inspection what process is involved in that ssl encryption and decryption.

     

    ssl-inbound.png

     

     

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    May 26, 2025

    So you basically are trying to do SSL offloading from internal server by Fortigate for the external clients connecting to the Fortigate (it still won't work because of the weak ciphers but ..)?

    Then you need other debug, which I am not aware of as didn't ever need to debug it. But may be start with show firewall vip <VIP_name> | grep ssldiagnose firewall vip virtual-server stats

      filiaks1
      filiaks1Author
      Explorer III
      May 27, 2025

      I tried  to debug the ipsengine (for flow based ssl inspection this should be the process not wad) and I found out that there is an ssl debug as well as the ipsengine generates too much logs and I did not see any SSL specific but maybe for non trial firewall that will be the way to go.

       

      I even cleared the session and restarted the process with diag test application ipsmonitor 99 and diag sys kill 9 `pidof ipsengine` before the debug.

      Just I see that never ipsengine should be debuged in working hours !

       

      diagnose debug reset
      diagnose debug disable
      diagnose debug console timestamp enable
      diagnose debug application ssl -1
      diagnose debug application ipsengine -1
      diagnose debug enable

      Terms & ConditionsAccessibility statement