- Certificate probing: certificate-probe is a feature that was introduced in Forti-OS 7.0.
- This feature is used by FortiGate OS 7.0 and above to pre-probe the server for its certificate so that read-only certificate inspection is done before a client-server connection is established.
- FortiGate's probe to the server fails because of either of the following reasons:
- TCP handshake fails.
- TLS handshake fails.
- The probe traffic is misrouted and does not reach the server.
***
Certificate probe traffic may require additional parameters to reach the destination server correctly.
Certificate probe traffic can be controlled with the following options below.
config ips global
config tls-active-probe
set interface-selection-method <auto|sdwan|specify>
set interface <intf name> - when method 'specify'
set vdom <vdom name> - when method 'sdwan' or 'specify'
set source-ip <source_ipv4> - when method 'sdwan' or 'specify'
set source-ip6 <source_ipv6> - when method 'sdwan' or 'specify'
end
end
- This is because the first client 'Hello' seen on the server side is a forged Client-Hello sent by FortiGate to probe the server's certificate. However, the server does not recognize this Client Hello as it would in inspection mode, so the handshake fails.
- The default behavior is for the FortiGate read-only certificate to drop the client session to that server as the server does not accept the FortiGate probe.
- This failure results in the termination of the original SSL session from client to server. Hence, this allows the option to be added from 7.0.1 onward.
As it is impossible to modify any option for a 'read-only certificate', creating a clone of the 'read-only certificate' and setting the action as 'allow' instead of the default action as 'block' for HTTPS protocol is recommended.
This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.
This setting will allow the original SSL connection to continue when the certificate-probe attempt fails.
This feature is available per protocol.
Using the CLI :
config firewall ssl-ssh-profile
edit <certificate profile name>
config <protocol name>
set cert-probe-failure [allow | block] (Default action is block; change it to allow)
Reference configuration in the CLI:
config firewall ssl-ssh-profile <- This command is used to modify the SSL-ssh inspection profile.
edit Clone of certificate-inspection <- This command is used to modify the configured inspection profile.
config https <- This command is used to modify the settings of the HTTPS protocol.
set cert-probe-failure allow <- This command is used to change firewall behavior when pre-probe failed (Default action is Block).
end
end
List of available protocols for which the invalid-server-cert action can be modified:
- SSL.
- HTTPS.
- FTPS.
- IMAPS.
- POP3S.
- SMTPS.
- SSH.
See the CLI reference for more information about configuring each.
If FortiGate fails in 'certificate-probe' and the 'certificate-probe-failed' is allowed, FortiGate cannot get the server certificate for the deep inspection, then it will pass the session. For example, if the server certificate has expired, and FortiGate is set to block the expired certificate because FortiGate cannot see the server certificate, it passes the session.
In the FortiGate log, it will show two different logs, the first log shows 'eventsubtype="certificate-probe-failed"', and the following log will show 'action="exempt"'.
Note:
- cert-probe-failure option is available for custom deep SSL inspection profiles starting FortiOS 7.2.4+ and 7.4.0+.
- To configure cert-probe-failure option, inspect all ports that should be disabled.
|
