|
When SSL inspection in flow mode is being used, FortiGate will create outgoing connections for two purposes:
- TLS Active probe: The KB article below explains the behavior and how to control the source IP in detail :
Technical Tip: Configure interface for IPS TLS protocol active probing (Slow page load when Web Filt...
TLS active probe sessions will be seen below in the session table. They will be outgoing HTTPS sessions:
HTTPS:
session info: proto=6 proto_state=02 duration=4 expire=8 timeout=1200 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
slbc: slot=10 mw_gen=2
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=180/3/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 37/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=76->100/100->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 192.168.21.1:24440->3.211.222.47:443(0.0.0.0:0)
hook=in dir=reply act=noop 3.211.222.47:443->192.168.21.1:24440(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=0008f408 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
In specific cases, FortiGate may log local traffic entries with the action 'timeout' when a user attempts to access a web resource. This generally indicates that the FortiGate is unable to establish a connection to the remote server, often due to missing or unreachable routing.
To suppress such log entries, the sni-server-cert-check option can be disabled within the applied certificate inspection profile.
Local Traffic:
date=2025-06-10 time=10:52:15 eventtime=1749523934992147456 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="GNET_Pri" srcip=10.99.223.211 srcport=18213 srcintf="GNET_Pri" srcintfrole="undefined" dstip=10.106.2.70 dstport=8080 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=63998658 proto=6 action="timeout" policyid=0 service="HTTP_return" trandisp="noop" app="HTTP_return" duration=13 sentbyte=180 rcvdbyte=0 sentpkt=3 rcvdpkt=0
-
fnbamd daemon certificate validation: fnbamd will need to download intermediate certificates from various sources for certificate verification (AIA or OCSP). AIA sessions will be HTTP in general and will be seen below in the session table:
session info: proto=6 proto_state=02 duration=10 expire=2 timeout=1200 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
slbc: slot=10 mw_gen=2
class_id=0 ha_id=1:0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=180/3/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 17/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=76->100/100->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 192.168.21.1:22968->104.18.21.226:80(0.0.0.0:0)
hook=in dir=reply act=noop 104.18.21.226:80->192.168.21.1:22968(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=5
serial=00091ad6 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1
AIA sessions can be controlled with the following configuration option:
config vpn certificate setting
set source-ip {string} <----- Source IP address for dynamic AIA and OCSP queries.
end
|
