Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rosalyn
Staff
Staff

Created on ‎04-12-2020 08:16 AM Edited on ‎11-30-2023 12:09 AM By Moderator

Article Id 192298

Technical Tip: Enable proxy after TCP handshake

Description

 

This article describes the case when using a proxy-based policy, the TCP 3-way handshake can be established between the client and the FortiGate, even without the completion of a 3-way handshake between the FortiGate and the server.

With the command 'set proxy-after-tcp-handshake enable', the TCP 3-way handshake will use IPS to handle it initially.
Only upon the establishment of the handshake with the server, does it reconstruct the sockets and redirect the session back to the proxy.

This article describes how to enable a proxy after a TCP handshake.

 

This feature is supported on FortiOS v6.4 and later versions.


Solution

 

To enable the command in an SSL/SSH profile.

 

config firewall ssl-ssh-profile

        edit "test"
            config https
                set ports 443
                set status certificate-inspection
                set proxy-after-tcp-handshake enable  <--
    end

 

To enable command in protocol options.

 

config firewall profile-protocol-options

    edit "test"
        config http
            set ports 80
            set proxy-after-tcp-handshake enable   <--
            unset options
            unset post-lang
end

3591
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.