| Description |
This article describes how Server Name Identification can cause web page connection issues. When the user connects to youtube.com, FortiGate logs show the following UTM block message:
date=2024-12-24 time=00:26:54 eventtime=1735028813332166560 tz="-0800" logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="root" urlfilteridx=1 urlfilterlist="Auto-webfilter-urlfilter_nroh1wmnu" policyid=1 poluuid="1e3210a0-be18-51ef-246e-feb901702e22" policytype="policy" sessionid=363254 srcip=192.168.18.2 srcport=54613 srccountry="Reserved" srcintf="internal1" srcintfrole="undefined" srcuuid="16adf484-be18-51ef-1df0-1d45391d26b6" dstip=142.250.69.110 dstport=443 dstcountry="United States" dstintf="wan1" dstintfrole="wan" dstuuid="16adf484-be18-51ef-1df0-1d45391d26b6" proto=6 service="HTTPS" hostname="play.google.com" profile="test-WF" action="blocked" reqtype="direct" url="https://play.google.com/" sentbyte=192 rcvdbyte=0 direction="outgoing" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"
The connection is blocked by Web Filter for the domain google.com because google.com is blocked by URL filter in the Web Filter profile. |
| Scope | FortiGate. |
| Solution |
In the packet sniffer, in the Client Hello packet, Server Name Identification(SNI) is 'youtube.com':
In the SSL certificate inspection profile, the Server Name Identification (SNI) is enabled:
When SSL certificate inspection is used and server name SNI is enabled, and if the SNI in Client Hello does not match the Common Name in the server certificate, FortiGate will use the Common Name instead of using the SNI field to determine the URL of the destination.
The 'ssl_sni_cert_check' uses the presence of the 'SSL_SERVER_STATUS_SNI_VERIFIED' flag to determine if the SNI matched the CN/SAN.
Check the Common Name of the server certificate:
In the browser, select the padlock icon left to the address bar for youtube.com, select 'connection secure', select 'more information', and 'view certificate'. It shows the server certificate Common Name is *.google.com.
Because the domain name *.google.com is blocked in the web filter URL filter, FortiGate blocks the youtube.com connection. To allow the connection, disable the SNI in the SSL certificate inspection or allow the domain *.google.com in the URL filter.
When the SNI is disabled in the SSL certificate inspection profile, FortiGate will check the SNI, but will not match it with the Common Name of the server certificate. FortiGate will use the FortiGuard sub-category of youtube.com which is 'Streaming Media and Download'. Since the FortiGuard sub-category 'Streaming Media and Download' is allowed in the Web Filter profile, so FortiGate will allow a 'youtube.com' connection.
FortiGate behavior in SNI check:
config firewall ssl-ssh-profile edit <name> config https set sni-server-cert-check [enable | strict | disable] next end
|
