FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhussain_FTNT
Article Id 197146

Description


This article describes that on the local traffic log, it is possible to see logs for HTTPS connection to the public IP address from WAN interface IP as the source.

This article describes this feature.

 

Scope

 

FortiGate.

Solution
From FortiOS 6.2 onwards, FortiGate will initiate traffic by itself due to TLS1.3 probing by the IPS engine and this is the expected behavior.

These are the few configurations that could trigger the probing requests, such as the SSL profile, which requires SSL exemption or certificate verification, or UTM profile web filter, or application control enabled.
The below debug command provides the logs of the traffic generated by the IPS engine.

 

diagnose ips debug enable ssl
diagnose debug enable

 

From FortiOS 6.2.6 or 6.4.4, it is possible to choose the interface for TLS1.3 probing session with the below configuration.

 

config ips global
config tls-active-probe

    set interface-selection-method <auto|sdwan|specify>
    set interface <intf name> - when method 'specify'
    set vdom <vdom name> - when method 'sdwan' or 'specify'
    set source-ip <source_ipv4> - when method 'sdwan' or 'specify'
    set source-ip6 <source_ipv6> - when method 'sdwan' or 'specify'
end
end

 

Related article:

Technical Tip: Configure interface for IPS TLS protocol active probing (Slow page load when Web Filt...