This article describes the configuration required to allow traffic to the ZTNA Access Proxy Server when FortiGate is running FIPS-CC mode.
Consider a ZTNA Access Proxy server configured as any of the examples from the documentation below:
When a user attempts a connection to the external IP address or FQDN and port of the ZTNA Server VIP, it will fail and ZTNA traffic logs will not be generated.
The same occurs to traffic triggered by a ZTNA Destination rule for TCP Forwarding traffic.
A packet capture will show the TCP handshake established from the endpoint to FortiGate Access proxy VIP, but the TLS handshake will fail and only a Client Hello packet will be seen.
The reason there is no Server Hello packet for the TLS handshake is that the proxy service (WAD) in FortiGate rejects the cipher sent in the Client Hello and drops the connection.
If debug logs are enabled for the proxy service (WAD) with the commands below, the below errors will be displayed;
diagnose wad debug enable all
diagnose wad filter src <client public IP>
diagnose debug enable
[I][p:3476][s:27231] wad_vs_ssl_port_caps_c2p_on_client_hello:9693 1:Colombas-FIPS: wsp(0x7ff7ad9ed048)
handshake recv ClientHello record 3.1 client 3.3 supported 3.4
[V][p:3476][s:27231] wad_vs_proxy_match_vhost :3845 1:Colombas-FIPS: matching vhost by: 192.168.10.240
[V][p:3476][s:27231] wad_vs_matcher_map_find :635 Empty matcher!
[V][p:3476][s:27231] wad_vs_proxy_match_vhost :3848 1:Colombas-FIPS: no host matched.
[I][p:3476][s:27231] wad_vs_ssl_port_client_hello_validate_psk:8444 vsp(0x7ff7ad9ed048)
[V][p:3476][s:27231] wad_ssl_port_c2p_validate_psk :7315 wsp=0x7ff7ad9ed048/10 id=(nil) modes=0
[W][p:3476][s:27231] wad_ssl_port_c2p_validate_psk :7321 wsp=0x7ff7ad9ed048/10 no psk id!
[I][p:3476][s:27231] wad_vs_ssl_port_client_hello_validate_psk:8467 wsp(0x7ff7ad9ed048/10) verified PSK: 0
[I][p:3476][s:27231] wad_vs_find_tls_1_3_cipher :8954 wsp(0x7ff7ad9ed048/10) cs_pre=0000 g_pre=0
[E][p:3476][s:27231] wad_vs_find_tls_1_3_cipher :9038 wsp 0x7ff7ad9ed048 ssl no matching CipherSuite, abort
[I][p:3476][s:27231] wad_ssl_app_port_fts_in_close :17208 sp=0x7ff7ad9ed048/10 recv close request from fts close-type=0 closed=0
[I][p:3476][s:27231] wad_ssl_port_task_end :15356 sp=0x7ff7ad9ed048/10 state=1 good=0
[I][p:3476][s:27231] wad_tcp_port_proc_end :799 tcp=0x7ff7af15b048 socket=47 good=0 both ends closed.
The proxy service is unable to find a compatible cipher suite, especially if the same cipher suite can be used with a TLS version lower than 1.3., then it rejects the cipher, closing the connection.
FortiOS FIPS-CC v7.0+, v7.2+, v7.4+, ZTNA Access Proxy.
This is a known issue registered under ID 917883. Development is investigating but there is no ETA as of now.
The workaround is to disable TLS 1.3 for the ZTNA Access Proxy VIP with the command 'set ssl-max-version tls-1.2'.
config firewall vip
edit <ztna server vip name>
set ssl-max-version tls-1.2
next
end
Thank you Carlos for this share
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.