Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tpatel
Staff
Staff

Created on ‎12-26-2024 07:02 AM

Article Id 366806

Troubleshooting Tip: How to evaluate traffic is getting SSL inspected in WAD debug.

Description This article describes how to verify the traffic is being inspected by FortiGate when the firewall policy is set to proxy-based inspection using deep inspection.
Scope FortiGate.
Solution

Firewall policy Configuration:


config firewall policy
    edit 1
        set name "test"
        set uuid 722b1d36-c2d3-51ef-d488-227b3bda61d1
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "custom-deep-inspection"
        set webfilter-profile "default"
        set nat enable
    next
end

SSL inspection profile configuration:

 

Capture17.PNG

 

The certificate that is used in the custom deep inspection profile is installed on the user's PC as a trusted root authority.

For a test visit the website example.com in the browser on user pc.

 

Use the following debugging command to run WAD debug on FortiGate:


diag wad filter src "ip-address
diag wad debug enable category al
diag wad debug enable level verbos
diag debug enable

The following WAD debug output shows it matching with firewall policy 1:

[I][p:2460][s:22958] wad_tcp_port_learn_session_config :443 vf_id=0 ses_ctx=0x7f6bb4872e28 policy-id=1, sec_profile=0x7f6bb4aeee78 app_type=http

The below output shows traffic is being inspected using a custom deep inspection SSL profile:


[I][p:2460][s:40836] wad_tcp_port_on_connect :2035 TCP connection 0x7f6bb5ea7438 fd=120 connected 10.9.11.101:52370->x.x.x.x:443 <----- Website IP
[I][p:2460][s:40836] wad_ssl_port_open :20820 wsp=0x7f6bb5ea7438/7 making SSL port
[V][p:2460][s:40836] wad_ssl_negotiate_make :2392 nego=0x7f6bb47c7248
[V][p:2460][s:40836] wad_ssl_port_update_cert_mode :5662 nego=0x7f6bb47c7248 ca=0x7f6bb47b2990 name=Fortinet_CA_SSL
[I][p:2460][s:40836] wad_ssl_port_open :21113 wsp=0x7f6bb11a9d88/7 SSL-port open succ type=7 port=0x7f6bb5ea7438 vd=0 svr=x.x.x.x:443: succ
[I][p:2460][s:40836] wad_ssl_port_open :20820 wsp=0x7f6bb5ea6f18/6 making SSL port
[V][p:2460][s:40836] wad_ssl_negotiate_make :2392 nego=0x7f6bb47c3bb8
[I][p:2460][s:40836] wad_ssl_port_open :21113 wsp=0x7f6bb11aa130/6 SSL-port open succ type=6 port=0x7f6bb5ea6f18 vd=0 svr=x.x.x.x:443: succ

 

The certificate that is used in the SSL inspection profile and the certificate FortiGate uses for inspection are the same.
128
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.