Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
maydin
Staff
Staff

Created on ‎08-20-2024 02:47 AM

Article Id 334684

Technical Tip: How to control self-originated traffic when SSL inspection with flow mode is configured

Description

This article describes how to control self-originated traffic when SSL inspection with flow mode is configured.

 

When ssl-inspection is used in flow mode, FortiGate will create some self-originated outgoing connections for the various certificate operations.

These self-originated connections will use the outgoing interface IP according to the routing table by default. In some customer environments, these connections will not be allowed. The article will explain what are these connections and how to control source IP for these connections.
Scope FortiOS 7.0 and above.
Solution

When SSL inspection in flow mode is being used, FortiGate will create outgoing connections for two purposes: 

 

  1. TLS Active probe.

The below article explains the behavior and how to control the source IP in detail : 
Technical Tip: Configure interface for IPS TLS protocol active probing (Slow page load when Web Filt...

 

TLS active probe sessions will be seen below in the session table. They will be outgoing HTTPS sessions:

 
HTTPS:


session info: proto=6 proto_state=02 duration=4 expire=8 timeout=1200 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
slbc: slot=10 mw_gen=2
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=180/3/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 37/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=76->100/100->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 192.168.21.1:24440->3.211.222.47:443(0.0.0.0:0)
hook=in dir=reply act=noop 3.211.222.47:443->192.168.21.1:24440(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=0008f408 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

  1. fnbamd daemon certificate validation.

     

fnbamd will need to download intermediate certificates from various sources for certificate verification (AIA or OCSP). 

AIA sessions will be HTTP in general and will be seen below in the session table:
 

session info: proto=6 proto_state=02 duration=10 expire=2 timeout=1200 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
slbc: slot=10 mw_gen=2
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=180/3/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 17/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=76->100/100->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 192.168.21.1:22968->104.18.21.226:80(0.0.0.0:0)
hook=in dir=reply act=noop 104.18.21.226:80->192.168.21.1:22968(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=00091ad6 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

AIA sessions can be controlled with the below configuration option:

 

config vpn certificate setting

    set source-ip {string} --> Source IP address for dynamic AIA and OCSP queries.
end
539
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.