| Description | This article describes how to create a custom IPS signature to block through the SNI (Server Name Indication) of TLS extension a HTTPS connection or those TLS connection where the SNI header is used during the TLS handshake. |
| Scope | FortiGate v7.0 and earlier. |
| Solution |
It is possible to block connections with FortiOS using an IPS profile during the first packet (Client Hello) of the TLS handshake.
The block can be performed with UTM SSL/SSH inspection in mode 'certificate-inspection' since the SNI is a header in clear text used during the TLS handshake.
After the TCP 3-Way Handshake process has been finished, initiate the negotiation of TLS where the first packet is the 'client hello' message. It contains the SNI extension and is inspected by the IPS, then FortiOS can take an action, e.g block it.
The following topology is the test-bed to IPS custom, where IP 192.168.70.111 is an HTTPS server.
The custom IPS signature as following, where the pattern to match is 'www.markoz.com' on the SSL connection.
F-SBID(--name "SNI.www.markoz.com"; --service SSL; --flow from_client;--pattern "www.markoz.com";--no_case;--context packet;)
It is possible to use the GUI Security Profiles -> IPS Signatures and then select 'Create New'.
Create an IPS Profile and add the custom IPS signature:
Associated the UTM IPS profile to the firewall policy:
Testing with HTTPS client: From a PC test using the CURL tool to simulate the HTTPS connection. The HTTPS connection froze after the TLS Client Hello message.
From packet capture, it is possible to confirm the packet is blocked after the FortiGate receives the TLS Client Hello on the ingress interface 'Vlan10'.
The FortiGate IPS logs where the custom IPS signature matches the dropping of the HTTPS connection.
Related document: |
