Created on 01-26-2021 09:59 PM Edited on 01-28-2024 09:13 PM By Anthony_E
Description
This article describes that on the local traffic log, it is possible to see logs for HTTPS connection to the public IP address from WAN interface IP as the source.
This article describes this feature.
Scope
FortiGate.
Solution
From FortiOS 6.2 onwards, FortiGate will initiate traffic by itself due to TLS1.3 probing by the IPS engine and this is the expected behavior.
These are the few configurations that could trigger the probing requests, such as the SSL profile, which requires SSL exemption or certificate verification, or UTM profile web filter, or application control enabled.
The below debug command provides the logs of the traffic generated by the IPS engine.
diagnose ips debug enable ssl
diagnose debug enable
From FortiOS 6.2.6 or 6.4.4, it is possible to choose the interface for TLS1.3 probing session with the below configuration.
config ips global
config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> - when method 'specify'
set vdom <vdom name> - when method 'sdwan' or 'specify'
set source-ip <source_ipv4> - when method 'sdwan' or 'specify'
set source-ip6 <source_ipv6> - when method 'sdwan' or 'specify'
end
end
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.