Description | This article describes an issue where web filter or any other security profile is not applied to TLS traffic for proxy-based policies |
Scope | FortiGate. |
Solution |
The solution is to revert the profile protocol options to the default and avoid configuring port 443 for HTTP inspection. Per default the protocol options define HTTP to be detected only on port 80:
config firewall profile-protocol-options
A default SSL profile is per default configured to listen on port 443 to detect TLS-encrypted traffic. Traffic on port 443 is then sent to for example the wad process for TLS decryption (deep inspection) or TLS inspection (certificate inspection).
The default deep inspection profile:
config firewall ssl-ssh-profile edit "deep-inspection"
The default certificate inspection profile:
config firewall ssl-ssh-profile edit "certificate-inspection"
If the protocol options are configured to treat ports 80 and 443 as HTTP then the TLS profiles will no longer be applied. Modified protocol options that expect HTTP on port 443:
config firewall profile-protocol-options
Any traffic on port 443 will be recognized as plain text HTTP and not be sent to the sub-engines for TLS inspection. This will result in security profiles to no longer work on port 443.
For example, when using a web filter, the configured categories will no longer be blocked but passed through without any web filter scanning. The reason here is that a web filter cannot work on TLS traffic unless it is deep or the certificate is inspected to detect the accessed host or certificate SNI. |