FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sballester
Staff
Staff
Description
This article describes how to decrypt payload traffic from a SSL VPN capture on a FortiGate. This is useful for detecting whether there is any packet loss.

Scope
SSL VPN
Solution
1) To properly troubleshoot a possible packet loss in a SSL VPN, it is necessary sometimes to capture packets once the SSL VPN is establishing or established and read the decrypted capture in Wireshark.

2) Open a logged putty session to FortiGate. The steps to save the putty logs can be found in the related KB article 'How to create a log file of Putty session'.

3) On the putty session, run the command:
diagnose sniffer packet any “host x.x.x.x” 6 0 l
4) Try to connect to the SSL VPN via web or tunnel mode (depending on the configuration), or to send packets through the already established SSL VPN. You should be able to see traffic between the host and the Fortigate in the sniffer.

5) Stop the sniffer using Ctrl+C and convert the file into .pcap format using the related knowledge base article: 'Troubleshooting Tool: Using the FortiOS built-in packet sniffer'

SSL Decryption:

1) Open the .pcap file using wireshark.

2) Go to Edit > Preferences > Protocols.

3) Select SSL 

4) In the RSA keys list field click Edit > New and add the following information:

IP address: is the IP Address of the Fortigate (the device with the private key)
Port: is usually 443 for SSL/TLS (the configured port)
Protocol: is usually HTTP
Key File: this is the location and file name of the private key. This is the key used in the certificate key pair of SSL server for which you are trying to decrypt the traffic. To use the key to decrypt the traffic it should be saved to the local disk and this path should be specified while decrypting the traffic.
Password: enter the password that you assigned while exporting the server certificate.

To extract the private key from the Fortigate please refer to the related kb: 'Extract a Private Key and Public Certificate from a FortiGate/FortiWiFi configuration'. If you previously unset the password you won't need to enter a password in the Password field in Wireshark.

5) Click OK. The decrypted SSL traffic should appear decrypted as the picture.

sballester_kb.JPG

Related Articles

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Technical Note : Extract a Private Key and Public Certificate from a FortiGate/FortiWiFi configurati...

Technical Note: How to create a log file of a session using PuTTY

Contributors