Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tpatel
Staff
Staff

Created on ‎12-26-2024 07:02 AM Edited on ‎04-11-2025 06:26 AM By Community Manager

Article Id 366806

Troubleshooting Tip: How to evaluate traffic is getting SSL inspected in WAD debug.

Description This article describes how to verify the traffic is being inspected by FortiGate when the firewall policy is set to proxy-based inspection using deep inspection.
Scope FortiGate.
Solution

Firewall policy Configuration:


config firewall policy
    edit 1
        set name "test"
        set uuid 722b1d36-c2d3-51ef-d488-227b3bda61d1
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "custom-deep-inspection"
        set webfilter-profile "default"
        set nat enable
    next
end

SSL inspection profile configuration:

 

Capture17.PNG

 

The certificate that is used in the custom deep inspection profile is installed on the user's PC as a trusted root authority.

For a test visit the website example.com in the browser on user pc.

 

Use the following debugging command to run WAD debug on FortiGate:


diagnose debug console timestamp enable
diagnose wad debug enable level verbose
diagnose wad debug display pid enable 

diagnose wad debug enable category all

diagnose wad filter src a.a.a.a         <----- Source IP address of the client.

diagnose wad filter dst x.x.x.x      <----- Destination IP of the website (where applicable).

diagnose debug enable
(when it ends) 

di deb dis 

diagnose debug reset 

diagnose wad filter clear 

 

The following WAD debug output shows it matching with firewall policy 1:

[I][p:2460][s:22958] wad_tcp_port_learn_session_config :443 vf_id=0 ses_ctx=0x7f6bb4872e28 policy-id=1, sec_profile=0x7f6bb4aeee78 app_type=http

The below output shows traffic is being inspected using a custom deep inspection SSL profile:


[I][p:2460][s:40836] wad_tcp_port_on_connect :2035 TCP connection 0x7f6bb5ea7438 fd=120 connected 10.9.11.101:52370->x.x.x.x:443 <----- Website IP
[I][p:2460][s:40836] wad_ssl_port_open :20820 wsp=0x7f6bb5ea7438/7 making SSL port
[V][p:2460][s:40836] wad_ssl_negotiate_make :2392 nego=0x7f6bb47c7248
[V][p:2460][s:40836] wad_ssl_port_update_cert_mode :5662 nego=0x7f6bb47c7248 ca=0x7f6bb47b2990 name=Fortinet_CA_SSL
[I][p:2460][s:40836] wad_ssl_port_open :21113 wsp=0x7f6bb11a9d88/7 SSL-port open succ type=7 port=0x7f6bb5ea7438 vd=0 svr=x.x.x.x:443: succ
[I][p:2460][s:40836] wad_ssl_port_open :20820 wsp=0x7f6bb5ea6f18/6 making SSL port
[V][p:2460][s:40836] wad_ssl_negotiate_make :2392 nego=0x7f6bb47c3bb8
[I][p:2460][s:40836] wad_ssl_port_open :21113 wsp=0x7f6bb11aa130/6 SSL-port open succ type=6 port=0x7f6bb5ea6f18 vd=0 svr=x.x.x.x:443: succ

 

The certificate that is used in the SSL inspection profile and the certificate FortiGate uses for inspection are the same.
1419
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.