| Description | This article describes an expected behavior where the FortiGate's fnbamd daemon (which typically handles authentication and certificate validation) may make HTTP (TCP/80) and HTTPS (TCP/443) connections out to the Internet. |
| Scope | FortiGate. |
| Solution |
In some cases, it is possible to observe the fnbamd daemon on the FortiGate making intermittent HTTP or HTTPS connections to the Internet. For example, the FortiGate may generate local-out traffic logs for HTTP traffic to the Internet, and checking the output of diagnose sys tcpsock may show that these local-out connections correspond with sockets held by fnbamd:
Example local-out log output:
action=timeout app=HTTP bid=53422143 date=2025-12-30 devid=FGXXXXXXXXXXXXXX devname=FGT_Example dstcountry=United States dstepid=101 dsteuid=3 dstintf=Tun_Example dstintfrole=undefined dstip=23.14.142.89 dstport=80 duration=10 dvid=1063 epid=2138 euid=3 eventtime=1767125408737364569 hostname=unknown id=7589745839594012729 itime=1767125409 level=notice logdesc= logid=0001000014 logver=704092829 msg= policyid=0 proto=6 rcvdbyte=0 rcvdpkt=0 sent_rcvd_bytes=60B/0B sentbyte=60 sentpkt=1 service=HTTP sessionid=389848416 sn=unknown srccountry=Reserved srcintf=root srcintfrole=undefined srcip=192.168.200.1 srcport=12835 subtype=local time=14:10:09 trandisp=noop type=traffic tz=-0600 vd=root vpntype=ipsecvpn
Example debug output:
FortiGate # diagnose sys tcpsock | grep fndbamd [...] 192.168.200.1:12835->23.14.142.89:80->state=syn_send err=0 socktype=1 rma=0 wma=1856 fma=-1856 tma=0 inode=885691789 process=234/fnbamd [...]
One reason for the fnbamd daemon to make HTTP/HTTPS requests out to the Internet is because of the Authority Information Access (AIA) extension for X.509 certificates, which is an optional extension that is defined in RFC 5280. As a primer, the AIA extension may be included in end-entity or certificate-authority (CA) certificates, and per the RFC it 'indicates how to access information and services for the issuer of the certificate in which the extension appears'.
In other words, this extension tells end-clients how to obtain the CA certificate that signed the current certificate being viewed if they do not already have it in the local certificate store, as well as how to access Online Certificate Status Protocol (OCSP) responders. To do this, the extension contains a list of Uniform Resource Identifiers (URIs) that can be used by the client (in this case, fnbamd) to download the Certificate Authority certificate used to issue the certificate. The protocol specified by these URIs can technically be anything, but the most common protocols used are LDAP, HTTP**, and FTP.
**HTTPS MAY be used instead of unencrypted HTTP, but this appears to be very uncommon for AIA-related URIs.
The fnbamd daemon uses the AIA URIs whenever it needs to obtain a certificate as part of verifying a certificate chain (such as general SSL certificate inspection or when performing certificate-based authentication). Critically, fnbamd MUST follow the URI as specified in the certificate extension, and so an HTTP-based URI will trigger fnbamd to make an outgoing request via TCP/80.
Note on controlling outgoing interface used by fnbamd: As with other local-out services on the FortiGate (see also: Local Out Traffic), fnbamd will by default follow the routing table to determine how to reach the URI specified in the Authority Information Access extension (after resolving any FQDNs to IP addresses via DNS). In cases where the FortiGate has multiple equal-cost routes to that destination, fnbamd's outgoing connection can be routed out a sub-optimal interface (such as a backup WAN link or via SD-WAN-enabled IPsec tunnel interfaces).
To control this, use the interface-select-method option found under config vpn certificate setting (which can be set on a per-VDOM basis):
config vpn certificate setting set source-ip <ip_address> <--- Set source IP for outgoing connections (does not influence outgoing interface). set interface-select-method [ auto | sdwan | specify ] set interface <interface_name> <--- Only present when using the 'specify' method. end
Related documents: Technical Tip: How to avoid local out traffic issues IETF RFC 5280 - Section 4.2.2.1 Designing CRL Distribution Points and Authority Information Access locations |
