FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 290865
Description

This article describes how to fix the visibility of the internal network private IP address on the internet through a VIP object.

Scope FortiOS.
Solution

This can happen with an application server within the internal network that needs to serve users on the internet. Mapping the internal private IP address to a public IP address with VIP is required.

 

Conditions under which this can happen:

 

  1. The firewall policy which permits traffic from internet to the internal application server is in the inspection mode 'proxy mode'; the SSL inspection profile can be 'certificate inspection', deep-inspection, or custom-deep-inspection. Either way, the internal private IP address may be visible under 'Certificate Subject Alternative Name'.
  2. The default certificate is used for the SSL/SSH inspection profile.

 

How to check if the internal IP address is visible on the Internet:

 

The internal IP address can be seen on 'censys search'.

 

Go to https://search.censys.io/ and enter the public IP address (external IP under VIP configuration on FortiGate). Under 'HTTP 8015/TCP', find TLS > Certificate. Check to see if the internal private IP is visible.

 ip2.JPG

 

Alternatively, check by entering https://x.x.x.x:8015 in the browser (where x.x.x.x is the public IP address) and then select the certificate details to see if 'Certificate Subject Alternative Name' reveals the private IP.

 ip1.JPG

 

 

How to fix:

 

  1. Choose the 'custom-deep-inspection' SSL inspection profile under the firewall policy governing this traffic since it is the only profile that is editable by default, and disable the Server’s certificate SNI check.

 

config firewall ssl-ssh-profile
    edit "custom-deep-inspection" <- SSL/SSH inspection profile.
        config https
            set sni-server-cert-check disable <- Disable.
        end
    next
end

 

  1. If option 1 above did not fix it, change the certificate to custom, purchased/issued by a known certificate authority.
Contributors