This article explains a way to decrypt traffic on connections to VS working in Layer-7, to analyze the traffic hitting FortiADC and the traffic sent to Real Servers.

Topology:

                                                              RS-A1

Client  (Internet)     ==> FADC ==>|

                                                              RS-A2

Compare the traffic received by FortiADC and the traffic sent to the Real Servers.

Step-1.

Disable WAF security on the configuration of the Virtual Server.
Disable TLS-1.3 from ‘Client SSL Profile’ and ‘Real Server SSL Profile’.

Step-2.

Prepare the next debug filtering the name of the Virtual Server.

# diagnose debug module httproxy set-filter vsname=<VirtualServer_name>

# diagnose debug module httproxy ssl_ae_info

# diagnose debug module ssl-of-httproxy all set

# diagnose debug enabl

Step-3.

Prepare the packet capture in GUI filtering the FrontEnd interface (e.g. WAN interface) and BackEnd interface (e.g. LAN interface).

Suggestion:

It is possible to filter the public Client IP-address on the FrontEnd capture and the private RealServer IP-addresses in the BackEnd capture.

Enable the Packet Captures.

Step-4.

From the Client, get access to the Virtual Server.

Suggestion:

Try to do 2 or 3 connections to get more samples.

- The CLI of FortiADC will start to output a string of characters.

Step-5.

Stop the packet capture and download them.
Copy and Paste the output of strings from CLI that start from ‘CLIENT_RANDOM’ into a TXT file, and save the file (e.g. Keys.txt).

Step-6.

Open the packet capture with WirSshark.

From WireShark go to Edit -> Preferences.  It will open the WireShark Preferences.
From preferences, select Protocol and search TLS.
From TLS preference into ‘(Pre)-Master-Secret log filename’ browse the Keys.txt file.

Select ‘OK'.

Traffic will be decrypted.