Skip to main content
jokes54321
jokes54321
New Member
May 19, 2025
Question

Virtual Server Report

  • May 19, 2025
  • 1 reply
  • 1769 views

Currently running FortiOS 7.2.11 and we're exposing a web server behind a Virtual Server configured for SSL offloading. Our security team is asking us to set the minimum protocol to TLS 1.2, but we've been asked to make sure no legacy clients are still using TLS 1.1.

 

I checked the forwarding logs and am not seeing protocol or ciphers, is there a way to see this in the logs or to pull this from FortiAnalyzer?  

 

Denny

1 reply

AEK
SuperUser
AEK
SuperUser
May 21, 2025

In your SSL inspection profile, try enable some of the below:

ssl-anomaly-log       Enable/disable logging of SSL anomalies.
ssl-negotiation-log   Enable/disable logging SSL negotiation.
ssl-server-cert-log   Enable/disable logging of server certificate information.
ssl-handshake-log     Enable/disable logging of TLS handshakes.

You should then be able to see the related logs in FortiGate > Logs > SSL inspection logs, and in FAZ as well

AEK
    jokes54321
    jokes54321Author
    New Member
    May 21, 2025

    I sure was hopeful this was going to work. I cloned the "certificate-inspection" policy and added the logging commands to the clone. I then applied the cloned policy to the firewall policy permitting traffic from the Internet to the Virtual Server that is configured for full ssl offloading. Unfortunately, nothing is showing in the logs. 


    Armed with the new knowledge above, I asked ChatGPT to help, and it responded that with a VIP configuration, Deep Inspection would need to be setup to get the logging data I was after. Since this is traffic from the Internet, I don't think Deep Inspection will be an option here.

     

    Perhaps I missed a setting to enable this? I will add this new cloned policy to an Outbound firewall policy to see if something logs when not using a Virtual Server.

    AEK
    SuperUser
    AEK
    SuperUser
    May 21, 2025

    If you are setting up a VIP to protect an server accessed from internet, in case you don't have a dedicated WAF then the recommended configuration is to enable deep inspection with SSL offloading on VS in order to scan the traffic after being decrypted.

    Also use proxy based inspection in the firewall policy and add IPS and WAF profiles.

    AEK
      Terms & ConditionsAccessibility statement