FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Article Id 223178
Description This article describes how to decrypt SSL/TLS traffic captured from a Windows machine.
Scope

All FortiGate models and FortiOS firmware versions.

Tested on Windows Server 2016 and Windows 11 Pro.

Solution
  1. Go to This PC, 'right click' on an empty space then select Properties.

lestopace_1-1662604563273.png

 

  1. Select 'Advanced system settings'.

lestopace_2-1662604649726.png

 

  1. Select 'Environment Variables'.

lestopace_3-1662604715561.png

 

  1. Select New, then type 'SSLKEYLOGFILE' for the Variable Name field.
    For the Variable Value, first create a file in any location and name it in any preferred way. For example, ‘sslkeysENV.pms’. In this example, the location selected is ‘C:\Users\Administrator\Desktop\’.

    If the file does not already exist, it will be created automatically when it is required.

    Next, in the ‘Edit User Variable’ dialog box, select 'Browse File' and select the file ‘sslkeysENV.pms’ as shown in the screenshot below:

 

2023-04-10_112204.png

 

  1. Select 'OK' until all recent window prompts have been closed.

  2. Start the capture. Do this directly using Wireshark on the client or start it from FortiGate and enable filters under GUI -> Network -> Packet Capture.

 

2023-04-10_112549_msedge.png

 

Note: Always perform captures on the interface closest to the client. When proxy features are used on the FortiGate, the keys used between the client and FortiGate and between FortiGate and the server will be different.

Note 2: Make sure to restart the browser before any captures are started. The file should now contain different SECRET hexadecimal strings.

 

  1. Generate TLS/SSL traffic by visiting any website, then download the capture and open it in Wireshark. It is recommended to use the Google Chrome browser for this but any browser or application with support for the SSLKEYLOGFILE variable is supported. This includes current versions of Chrome, Firefox, and Edge browsers, as well as many 3rd party applications.

  2. Download the capture from FortiGate if needed. After opening the capture on Wireshark, go to Edit -> Preferences.

 

2023-04-10_113228_vmware.png
  1. Under 'Protocols', check and then select 'TLS' (Transport Layer Security).

2023-04-10_113349_vmware.png
  1. Under '(Pre)-Master-Secret log filename', select 'Browse' then choose the TLS key file. After, select 'OK'.

    At this stage, the decryption of TLS/SSL will have completed successfully.

 

2023-04-10_113730_vmware.png

 

If issues occur, open a case with the TAC team for further assistance.

 

When providing files to Fortinet TAC, provide both the keyfile and the requested capture. Keep in mind that all of the captured traffic in the pcap may be decrypted.

 

  1. Remember to remove the environmental variable after troubleshooting for security reasons.