Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
leej
Staff
Staff

Created on ‎05-23-2025 05:51 AM Edited on ‎05-30-2025 07:04 AM By Community Manager

Article Id 393239

Technical Tip: How FortiGate does 'TLS Active Probe'

Description This article describes how FortiGate does 'TLS Active Probe'.
Scope FortiGate.
Solution
  1. Diagram:
  • Client IP: PORT = 10.0.6.8:52934
  • FortiGate SNAT IP:PORT = 10.0.5.60:52934
  • FortiGate TLS Active Probe IP: PORT = 10.0.5.60:1298 <----- The IP and Interface for doing "TLS Active Probe" depend on the configuration under config ips global.
  • Website : 115.84.166.115:443(www.seoul.go.kr).

 

Sample configuration:

 

config ips global
     config tls-active-probe
         set interface-select-method specify
         set interface "port4"
         set vdom "root"
         set source-ip 10.0.5.60
     end
end

 

  1. TCP Stream number:
  • Web traffic between Client and FortiGate ingress: 19, colored by red.
  • Web traffic between FortiGate egress and Website: 20, colored by blue.
  • TLS Active Probe between FortiGate egress and Website: 21, colored by yellow.

 

  1. Here is a breakdown of the relevant parts:
  1. A TCP 3-way handshake is established between a client and a website No. 208 ~ No. 214.
  2. A Client initiates a TLS handshake by sending a Client Hello with SNI. No. 215.
  3. At this point, a FortiGate locally generates a new TCP session to a website for the purpose of doing a 'TLS Active Probe'. No. 217 ~ No. 221.
  4. A FortiGate sends a Client Hello to a website. No. 222.
  5. A FortiGate performs a full TLS handshake with a website. No. 222 ~ No. 236.
  6. If a FortiGate completes a 'TLS Active Probe', a FortiGate forwards a Client Hello from a client and performs further jobs. No. 246 ~.

 

Screenshot of each TCP stream. (A stream colored yellow is a 'TCP Active Probe'):

 

Anthony_E_0-1748004604784.jpeg

 

A 'TLS Active Probe' is also seen in the IPS debug log using the commands below:

 

diagnose debug console timestamp enable
diagnose ips filter set 'src 192.168.10.10 and dst 115.84.166.115'
diagnose ips debug enable ssl
diagnose ips debug enable urlfilter
diagnose debug enable

 

Anthony_E_1-1748004604786.jpeg

 
Related articles

Technical Tip: Configure interface for IPS TLS protocol active probing (Slow page load when Web Filt... 

Troubleshooting Tip: How to allow HTTPS (port 443) traffic when certificate-probe-failed error occur... 

Technical Tip: How to control self-originated traffic when SSL inspection with flow mode is configur... 
948
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.