Hi,
running on a Fortigate 300D 5.6.3 I experience some strange behaviour running some UTM features like WAF, AV, IPS. Here is my setup :
[ul]
One wildcard certificate imported as a 'local certificate' which means with both certificate file and private key. This should make the device able to serve the certificate instead of my backend web serverOne SSL/SSH inspection profile with these settings : Enable SSL Inspection of Protecting SSL Server, the right server wildcard certificate and inspect all ports.One firewall rule with WAF, IPS and AV, and this SSL/SSH inspection profile[/ul]Now the strange behavior :
[ul]Like said the previous SSL certificate is a wildcard SSL certificate. This basically means it protects *.example.com and works fine with subdomain1.example.com as well as subdomain2.example.com and subdomain3.example.comWhen I try SQL injection against subdomain1.example.com I got a WAF message which says "The transfer has triggered a Web Application Firewall." and "This transfer is blocked." <-- This is an expected behaviorBut when I try the same SQL injection against subdomain2.example.com or subdomain3.example.com nothing is blocked at all it is like SSL decipher does not work. [/ul]I didn't found anything in configurations which would say to fortigate, this SSL profile is only for subdomain1. I downloaded the entire configuration file and ran some grep, and didn't found anything regarding subdomain1, subdomain2 or subdomain3.
Is someone else experiencing the same behavior ? Is this a known bug ?
Thank you for your help, rhfred
