Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ametkola
Staff
Staff

Created on ‎10-09-2024 06:11 AM

Article Id 348147

Technical Tip: Deep inspection with mTLS

Description This article describes the behavior of mTLS traffic when deep inspection is used.
Scope FortiGate.
Solution

The topology below is an example of SSL inspection with a flow that uses mTLS. The FortiGate is set up as an explicit proxy receiving connection on port 8025 and sending out the request on port 443.
FortiGate is configured to perform Deep Packet Inspection, the traffic flow uses mTLS and the certificate is verified by the remote download server.

 

UseKB.png

 

The connection is performed from the download device to the FortiGate on port 8025.

1.1.1.1 --> 2.2.2.2.

 

The outside part is from FortiGate to the external system on port 443.

3.3.3.3 --> 4.4.4.4.

 

First attempt:

 

1 13:32:42.541490 1.1.1.1 2.2.2.2 TCP 0 56966 74 0.000000000 65535 56966 → 8025 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM TSval=926975809 TSecr=0 WS=64
2 13:32:42.541611 2.2.2.2 1.1.1.1 TCP 546238214 8025 74 0.000121000 28960 8025 → 56966 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=794870138 TSecr=926975809 WS=128
3 13:32:42.542044 1.1.1.1 2.2.2.2 TCP 3476181127 56966 66 0.000433000 263488 56966 → 8025 [ACK] Seq=1 Ack=1 Win=263488 Len=0 TSval=926975811 TSecr=794870138
4 13:32:42.542154 1.1.1.1 2.2.2.2 HTTP 3476181127 56966 180 0.000110000 114 263488 CONNECT example.com:443 HTTP/1.0
5 13:32:42.542166 2.2.2.2 1.1.1.1 TCP 546238328 8025 66 0.000012000 29056 8025 → 56966 [ACK] Seq=1 Ack=115 Win=29056 Len=0 TSval=794870139 TSecr=926975811

6 13:32:42.583285 3.3.3.3 4.4.4.4 TCP 0 17092 74 0.041119000 29200 17092 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=2309618753 TSecr=0 WS=512
7 13:32:42.588963 4.4.4.4 3.3.3.3 TCP 2153803200 443 74 0.005678000 26847 443 → 17092 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM TSval=424535706 TSecr=2309618753 WS=256
8 13:32:42.589061 3.3.3.3 4.4.4.4 TCP 4211724507 17092 66 0.000098000 29696 17092 → 443 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=2309618759 TSecr=424535706

9 13:32:42.589368 2.2.2.2 1.1.1.1 HTTP 546238328 8025 138 0.000307000 72 29056 HTTP/1.0 200 Connection established
10 13:32:42.590068 1.1.1.1 2.2.2.2 TLSv1.2 3476181199 56966 256 0.000700000 190 263488 Client Hello (SNI=example.com)
11 13:32:42.590101 2.2.2.2 1.1.1.1 TCP 546238518 8025 66 0.000033000 30080 8025 → 56966 [ACK] Seq=73 Ack=305 Win=30080 Len=0 TSval=794870187 TSecr=926975859

12 13:32:42.591490 3.3.3.3 4.4.4.4 TLSv1.2 4211724507 17092 254 0.001389000 188 29696 Client Hello (SNI=example.com)
13 13:32:42.596800 4.4.4.4 3.3.3.3 TCP 2153803388 443 66 0.005310000 28160 443 → 17092 [ACK] Seq=1 Ack=189 Win=28160 Len=0 TSval=424535714 TSecr=2309618761
14 13:32:42.597042 4.4.4.4 3.3.3.3 TLSv1.2 2153803388 443 1514 0.000242000 1448 28160 Server Hello

18 13:32:42.598235 4.4.4.4 3.3.3.3 TLSv1.2 2153803388 443 1434 0.001104000 1368 28160 Certificate, Server Key Exchange, Certificate Request, Server Hello Done
19 13:32:42.598250 3.3.3.3 4.4.4.4 TCP 4211728771 17092 66 0.000015000 37888 17092 → 443 [ACK] Seq=189 Ack=4265 Win=37888 Len=0 TSval=2309618768 TSecr=424535715

20 13:32:42.604555 2.2.2.2 1.1.1.1 TCP 546238518 8025 1514 0.006305000 1448 30080 8025 → 56966 [ACK] Seq=73 Ack=305 Win=30080 Len=1448 TSval=794870201 TSecr=926975859 [TCP PDU reassembled in 21]
21 13:32:42.604615 2.2.2.2 1.1.1.1 TLSv1.2 546238518 8025 505 0.000060000 1887 30080 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done

27 13:32:42.612090 1.1.1.1 2.2.2.2 TLSv1.2 3476183086 56966 1515 0.004985000 2896 263488 Certificate, Client Key Exchange
28 13:32:42.612135 2.2.2.2 1.1.1.1 TCP 546244310 8025 66 0.000045000 41728 8025 → 56966 [ACK] Seq=1960 Ack=6097 Win=41728 Len=0 TSval=794870209 TSecr=926975875
29 13:32:42.612565 1.1.1.1 2.2.2.2 TLSv1.2 3476183086 56966 160 0.000430000 94 263488 Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

30 13:32:42.613269 3.3.3.3 4.4.4.4 TCP 4211728771 17092 66 0.000704000 37888 17092 → 443 [FIN, ACK] Seq=189 Ack=4265 Win=37888 Len=0 TSval=2309618783 TSecr=424535715

31 13:32:42.613417 2.2.2.2 1.1.1.1 TCP 546244404 8025 66 0.000148000 41728 8025 → 56966 [RST, ACK] Seq=1960 Ack=6191 Win=41728 Len=0 TSval=794870210 TSecr=926975880

 

The second attempt of the connection works, the output in the Wireshark is below.


34 13:32:44.705128 1.1.1.1 2.2.2.2 TCP 0 63422 74 2.086377000 65535 63422 → 8025 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM TSval=926977973 TSecr=0 WS=64
35 13:32:44.705224 2.2.2.2 1.1.1.1 TCP 1301001092 8025 74 0.000096000 28960 8025 → 63422 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=794872302 TSecr=926977973 WS=128
36 13:32:44.705625 1.1.1.1 2.2.2.2 TCP 2804143357 63422 66 0.000401000 263488 63422 → 8025 [ACK] Seq=1 Ack=1 Win=263488 Len=0 TSval=926977975 TSecr=794872302
37 13:32:44.705757 1.1.1.1 2.2.2.2 HTTP 2804143357 63422 180 0.000132000 114 263488 CONNECT example.com:443 HTTP/1.0
38 13:32:44.705777 2.2.2.2 1.1.1.1 TCP 1301001206 8025 66 0.000020000 29056 8025 → 63422 [ACK] Seq=1 Ack=115 Win=29056 Len=0 TSval=794872302 TSecr=926977975

39 13:32:44.706053 3.3.3.3 4.4.4.4 TCP 0 17094 74 0.000276000 29200 17094 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=2309620876 TSecr=0 WS=512
40 13:32:44.711695 4.4.4.4 3.3.3.3 TCP 2487914683 443 74 0.005642000 26847 443 → 17094 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1460 SACK_PERM TSval=424537829 TSecr=2309620876 WS=256
41 13:32:44.711731 3.3.3.3 4.4.4.4 TCP 1229547458 17094 66 0.000036000 29696 17094 → 443 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=2309620881 TSecr=424537829

42 13:32:44.711871 2.2.2.2 1.1.1.1 HTTP 1301001206 8025 138 0.000140000 72 29056 HTTP/1.0 200 Connection established
43 13:32:44.712456 1.1.1.1 2.2.2.2 TLSv1.2 2804143429 63422 256 0.000585000 190 263488 Client Hello (SNI=example.com)

44 13:32:44.712941 3.3.3.3 4.4.4.4 TLSv1.2 1229547458 17094 256 0.000485000 190 29696 Client Hello (SNI=example.com)
45 13:32:44.718271 4.4.4.4 3.3.3.3 TCP 2487914873 443 66 0.005330000 28160 443 → 17094 [ACK] Seq=1 Ack=191 Win=28160 Len=0 TSval=424537835 TSecr=2309620883
46 13:32:44.718523 4.4.4.4 3.3.3.3 TLSv1.2 2487914873 443 1514 0.000252000 1448 28160 Server Hello


50 13:32:44.718937 2.2.2.2 1.1.1.1 TLSv1.2 1301001396 8025 1514 0.000367000 1448 30080 Server Hello
51 13:32:44.718973 2.2.2.2 1.1.1.1 TCP 1301001396 8025 1514 0.000036000 2896 30080 8025 → 63422 [PSH, ACK] Seq=1521 Ack=305 Win=30080 Len=1448 TSval=794872316 TSecr=926977981 [TCP PDU reassembled in 55]
52 13:32:44.719425 1.1.1.1 2.2.2.2 TCP 2804146325 63422 66 0.000452000 260608 63422 → 8025 [ACK] Seq=305 Ack=2969 Win=260608 Len=0 TSval=926977988 TSecr=794872316

53 13:32:44.720024 4.4.4.4 3.3.3.3 TLSv1.2 2487914873 443 1434 0.000599000 1368 28160 Certificate, Server Key Exchange, Certificate Request, Server Hello Done
54 13:32:44.720036 3.3.3.3 4.4.4.4 TCP 1229551722 17094 66 0.000012000 37888 17094 → 443 [ACK] Seq=191 Ack=4265 Win=37888 Len=0 TSval=2309620890 TSecr=424537837

55 13:32:44.720579 2.2.2.2 1.1.1.1 TLSv1.2 1301001396 8025 1434 0.000543000 1368 30080 Certificate, Server Key Exchange, Certificate Request, Server Hello Done

63 13:32:44.727881 1.1.1.1 2.2.2.2 TLSv1.2 2804147693 63422 1515 0.004660000 2896 263488 Certificate, Client Key Exchange
64 13:32:44.727896 2.2.2.2 1.1.1.1 TCP 1301007188 8025 66 0.000015000 41728 8025 → 63422 [ACK] Seq=4337 Ack=6097 Win=41728 Len=0 TSval=794872324 TSecr=926977992

65 13:32:44.728110 3.3.3.3 4.4.4.4 TLSv1.2 1229551722 17094 1515 0.000214000 5792 37888 Certificate, Client Key Exchange

66 13:32:44.728311 1.1.1.1 2.2.2.2 TLSv1.2 2804147693 63422 160 0.000201000 94 263488 Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

67 13:32:44.728408 3.3.3.3 4.4.4.4 TLSv1.2 1229551722 17094 160 0.000097000 5886 37888 Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

71 13:32:44.736578 4.4.4.4 3.3.3.3 TLSv1.2 2487920759 443 117 0.000456000 51 84736 Change Cipher Spec, Encrypted Handshake Message

72 13:32:44.736756 2.2.2.2 1.1.1.1 TLSv1.2 1301007282 8025 117 0.000178000 51 41728 Change Cipher Spec, Encrypted Handshake Message
73 13:32:44.737570 1.1.1.1 2.2.2.2 TLSv1.2 2804147744 63422 337 0.000814000 271 263488 Application Data

 

Anytime the server is accessed the first attempt fails then the next attempt works. Packet capture shows that FortiGate does not send a 'Client Key Exchange' but on the second attempt, it does.

Using certificate inspection instead of deep inspection the connection works.


Note: Deep inspection as MiTM (Man in the Middle) is not supported for the mTLS session. The first connection will help to learn mTLS for the client/server pair so the second can bypass the deep inspection.

If this is crucial to the environment, it is advised to open an NFR(New Feature Request) to support MiTM for mTLS traffic.
458
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.