Skip to main content
jammac
jammac
Explorer II
November 23, 2022
Question

FortiProxy Eval and SSL

  • November 23, 2022
  • 2 replies
  • 3877 views

Hello.

 

Two questions:

 

1) Does FortiProxy Eval (VM) allow to do SSL interception? I tried (enabled deep inspection for a policy item) but nothing happens: I just see the original certs being used when browsing through the proxy.

 

2) I would like to know if HTTPS proxy scheme is available with FPX.
(see https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/proxy.md#HTTPS-proxy-scheme)
The reason is I would like to have the browser-proxy connection encrypted.
When I connect to fpx:8080 using TLS, it answers using TLS but does not transmit any certificate...

 

 

openssl s_client -connect fpx.example.com:8080 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 319 bytes Verification: OK

 

 

Thanks.

UPDATE: Hmm. It's responding the same on (mgmt) port 443...

2 replies

gfleming
Staff
gfleming
Staff
November 24, 2022

https://docs.fortinet.com/document/fortiproxy/7.2.0/administration-guide/669878/create-or-edit-an-ssl-ssh-inspection-profile

 

Did you follow these steps? You might be hitting some exemption? Or your policy is not being hit for some reason.

jammac
jammacAuthor
Explorer II
November 24, 2022

Admin interface doesn't even respond to SSL request.

HTTPS on MGMT is enabled, TCP session is built.

FPX does not send a server certificate on MGMT port 443.

gfleming
Staff
gfleming
Staff
November 24, 2022

Oh OK so your issue is you cannot connect to admin interface over HTTPs?

 

Can you SSH?

 

Can you post output of "show system global"

 

 

jammac
jammacAuthor
Explorer II
November 24, 2022

I started with SSL interception but then realized that SSL to mgmt doesn't even work with the same symptoms. So I'm going a step back and trying to find out first what could be the reason for SSL to mgmt not working (maybe the simpler issue to solve which is going to solve the other issue at the same time).

 

FortiProxy-VM64 # show system global config system global     set admin-server-cert "Fortinet_Factory"     set alias "FortiProxy-VM64"     set hostname "FortiProxy-VM64"     set timezone 26 end

 

Terms & ConditionsAccessibility statement