Skip to main content
flamer
flamer
New Member
September 23, 2025
Question

TLS decrypt on 7.4?

  • September 23, 2025
  • 3 replies
  • 502 views

We used to do extensive app troubleshooting on 7.2 decrypting the traffic using a trusted ROOT CA installed on the client machine. 

 

After upgrading to 7.4, it no longer works, what we would do is (on 7.2):

create a loopback interface, create a decrypted-traffic-mirror with the loopback bound to it, create a firewall policy with decrypted-traffic-mirror enabled to the mirror. then create a firewall sniffer with the loopback interface. and voila, plain text https came out n pcap form.

 

the issue now seems to be the firewall sniffer has gone, and the new packet capture thing does not let us use loopback as an interface. Has anyone got this working and could share the steps?

3 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 25, 2025

Hello flamer, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 29, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 29, 2025

Hello flamer,

 

I found this solution. Can you tell us if it helps, please?

 

In FortiOS 7.4, the packet capture process has changed, and the previous method using a loopback interface for decrypted traffic mirroring may not be directly applicable. Here are the steps to capture decrypted traffic in FortiOS 7.4:

 

  1. Create a Loopback Interface:
    - Go to System > Network > Interface > Loopback.
    - Select Add Interface.
    - Enter a name for the loopback interface.
    - Select Static for the mode and enter the IP address and netmask.
    - Select the protocols allowed to access the loopback interface.
    - Select the administration status and add the interface.

  2. Configure Decrypted Traffic Mirror: Use the CLI to configure the decrypted traffic mirror:

    shell config firewall decrypted-traffic-mirror
    edit "1"
    set dstmac ff:ff:ff:ff:ff:ff
    set traffic-type ssl ssh
    set traffic-source both
    set interface "port1"
    next
    end

  3. Configure Firewall Policy: Ensure the firewall policy has decrypted traffic mirroring enabled:

    shell config firewall policy
    edit 1
    set type explicit-web
    set name "All"
    set dstintf "port1"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "webproxy"
    set explicit-web-proxy "web-proxy"
    set utm-status enable
    set logtraffic all
    set decrypted-traffic-mirror "Decrypt"
    set ssl-ssh-profile "Deep_Custom"
    set webfilter-profile "default"
    next
    end

  4. Capture Traffic:
    - Use the Network > Packet Capture tab in the FortiOS GUI to capture and analyze the mirrored traffic.
    - Set the appropriate filters and start the capture.

 

If the loopback interface cannot be used directly in the new packet capture tool, consider using a dedicated interface for traffic mirroring and capturing traffic on that interface instead.

Jean-Philippe - Fortinet Community Team
Terms & ConditionsAccessibility statement