FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lmateus
Staff
Staff
Description
Since FortiOS 5.0.3, when configured to not do HTTPS deep scan (no man in the middle) SSL inspection has been improved

Now, FortiOS checks also the server name in the client Hello from the SSL negotiation. This is called SNI/CN method (Server Name Inspection and Common Name)

FortiOS parses TLS server name indication (SNI) from TSL Client Hello. When this value has been retrieved, it will be used for non-deep web filtering inspection, in preference to the existing HTTPS Server CN web filtering.


In details:

When Deep-Scan is disabled, URL filtering for HTTPS sessions should proceed as follows:

1. Extract the hostname from the "Server Name" extension in the "Client Hello" message of the TLS handshake.

2. If a valid hostname is found in step 1, use the hostname for local or FortiGuard category query.

3. If not, proceed with CN based web filtering query as implemented in previous versions



When configured for SNI/CN, the real HTTPS server certificate will be presented to the client for allowed URLs. The Fortigate certificate will be presented in the blocked pages replacement message, but the fortigate does not do man in the middle.

Also, when "block-invalid-hostname" option is enabled in webfilter profile, if an invalid hostname is found in the "Client Hello" server name value (certificate inspection mode only), the request will be blocked and logged.
Contributors