| Description | This article describes new SSL logging options that provide more details about those connections. |
| Scope | FortiGate running FortiOS 6.4.0+ and 7.0.1+ |
| Solution |
In FortiOS 6.4.0, a new option “set ssl-negotiation-log {enable | disable}” was added to the SSL/SSH profile option set. This new option captures results of unsupported SSL negotiations.
To log unsupported SSL negotiation: config firewall ssl-ssh-profile edit <name> set ssl-negotiation-log {enable | disable} next end
Please see below link for reference:
Starting in FortiOS 7.0.1, new options have been added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.
config firewall ssl-ssh-profile edit <name> set ssl-server-cert-log {enable | disable} set ssl-handshake-log {enable | disable} next end
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/183724/enhance-tls-logging-7-0-1 https://docs.fortinet.com/document/fortigate/7.0.1/fortios-log-message-reference/172065/whats-new
The latest options added to FortiOS 7.0.1 are particularly helpful if customer needs further details for reporting purposes, such as TLS version, Key Exchange, SNI, SAN, Certificate Issuer. The new fields are added to the raw logs, which can also be displayed on GUI. To be able to see those new fields on GUI, navigate to “Log & Report”, select SSL, then hover over the title row and click on the gear icon to customize columns as shown in the image below. 
Note: |
