FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
JordAnge
Staff
Staff
Article Id 245055
Description

This article explains a way to decrypt traffic on connections to VS working in Layer-7, to analyze the traffic hitting FortiADC and the traffic sent to Real Servers.

 

Topology:

 

                                                              RS-A1

Client  (Internet)     ==> FADC ==>|

                                                              RS-A2

 

DecryptTraffic-00.png 

Scope

Compare the traffic received by FortiADC and the traffic sent to the Real Servers.

Solution

Step-1.

Disable WAF security on the configuration of the Virtual Server.
Disable TLS-1.3 from ‘Client SSL Profile’ and ‘Real Server SSL Profile’.

 

Step-2.

Prepare the next debug filtering the name of the Virtual Server.

 

# diagnose debug module httproxy set-filter vsname=<VirtualServer_name>

# diagnose debug module httproxy ssl_ae_info

# diagnose debug module ssl-of-httproxy all set

# diagnose debug enabl

 

Step-3.

Prepare the packet capture in GUI filtering the FrontEnd interface (e.g. WAN interface) and BackEnd interface (e.g. LAN interface).

 

DecryptTraffic-01.png

 

Suggestion:

It is possible to filter the public Client IP-address on the FrontEnd capture and the private RealServer IP-addresses in the BackEnd capture.

Enable the Packet Captures.

 

Step-4.

From the Client, get access to the Virtual Server.


Suggestion:

Try to do 2 or 3 connections to get more samples.

- The CLI of FortiADC will start to output a string of characters.

 

DecryptTraffic-02.png

 

Step-5.

Stop the packet capture and download them.
Copy and Paste the output of strings from CLI that start from ‘CLIENT_RANDOM’ into a TXT file, and save the file (e.g. Keys.txt).

 

DecryptTraffic-03.png

 

Step-6.

Open the packet capture with WirSshark.

From WireShark go to Edit -> Preferences.  It will open the WireShark Preferences.
From preferences, select Protocol and search TLS.
From TLS preference into ‘(Pre)-Master-Secret log filename’ browse the Keys.txt file.

Select ‘OK'.

 

DecryptTraffic-04.png

 

Traffic will be decrypted.

 

DecryptTraffic-05.png

Contributors