This article describes how to 'mirror' SSL inspected traffic. For troubleshooting purpose, it is necessary to mirror SSL inspected traffic on a different interface.
It is possible to 'mirror' or send a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that the traffic can be collected by a raw packet capture tool for archiving or analysis.
This feature is available if the inspection mode is set to flow-based.
Caution: Decryption, storage, inspection, and use of decrypted content is subject to local privacy rules.
The use of these features enables malicious users with administrative access to the FortiGate to harvest sensitive information submitted using an encrypted channel.
In this example, the setting enables the policy to send all traffic decrypted by the policy to the FortiGate PORT1 and PORT2 interfaces.
# config firewall policy
set ssl-mirror enable
set ssl-mirror-intf port1 port2
From FortiOS 6.0 onwards, a new parameter has been added specifically for decrypted traffic mirroring :
# config firewall decrypted-traffic-mirror
set dstmac ff:ff:ff:ff:ff:ff
set traffic-type SSL
set traffic-source client
set interface port3
To add it to a policy :
# config firewall policy
set name "mirror-policy"
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set ssl-ssh-profile "deep-inspection"
set decrypted-traffic-mirror "SSL-to-port3"
Then the following terms and agreement will appear :
THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:
1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
Do you want to continue? (y/n) y
SSL Mirroring can also be configured via GUI as well :
1) Go to Policy & Objects -> Firewall Policy.
2) Edit existing policy that would require SSL mirroring.
3) In the Security Profiles section, for SSL Inspection, select deep-inspection, or another profile that uses Full SSL Inspection.
5) In the drop-down list, select 'Create' to create a new one.
6) Add unused interface and select ok.
7) Select 'ok' to save the policy.
Related document :