Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lol
Staff
Staff

Created on ‎10-10-2024 02:14 AM Edited on ‎04-25-2025 12:42 AM By Community Manager

Article Id 348428

Troubleshooting Tip: Security Profiles bypassed and not TLS inspected in proxy based policies due to incorrect profile-protocol-options settings

Description This article describes an issue where web filter or any other security profile is not applied to TLS traffic for proxy-based policies
Scope FortiGate.
Solution

The solution is to revert the profile protocol options to the default and avoid configuring port 443 for HTTP inspection. Per default the protocol options define HTTP to be detected only on port 80:

 

config firewall profile-protocol-options
    edit "default"
        set comment "All default services."
            config HTTP
                set ports 80 <----- HTTP detected on port 80.

 

A default SSL profile is per default configured to listen on port 443 to detect TLS-encrypted traffic. Traffic on port 443 is then sent to for example the wad process for TLS decryption (deep inspection) or TLS inspection (certificate inspection).

 

The default deep inspection profile:

 

config firewall ssl-ssh-profile

    edit "deep-inspection"
        set comment "Read-only deep inspection profile."
            config https
                set ports 443 <----- TLS expected on port 443.
                set status deep-inspection

 

The default certificate inspection profile:

 

config firewall ssl-ssh-profile

    edit "certificate-inspection"
        set comment "Read-only SSL handshake inspection profile."
            config https
                set ports 443 <----- TLS expected on port 443.
                set status certificate-inspection

 

If the protocol options are configured to treat ports 80 and 443 as HTTP, then the TLS profiles will no longer be applied. Modified protocol options that expect HTTP on port 443:

 

config firewall profile-protocol-options
    edit "HTTP_on_port_443"
        config HTTP
            set ports 80 443 <----- HTTP detected on ports 80 and 443.

 

Any traffic on port 443 will be recognized as plain text HTTP and not be sent to the sub-engines for TLS inspection. This will result in security profiles no longer working on port 443.

 

For example, when using a web filter, the configured categories will no longer be blocked but passed through without any web filter scanning. The reason here is that a web filter cannot work on TLS traffic unless it is deep or the certificate is inspected to detect the accessed host or certificate SNI.

 

 

Down below is an example of a wad debug with such a misconfiguration. Highlighted is the line that indicates that no SSL profile is being applied.

 

[I]2024-10-09 09:38:55.167272 [p:29323][s:1471577235][r:520935138] wad_dump_http_request :2621 hreq=0x7f7713730788 Received request from client: 10.19.4.33:52123

CONNECT www.test.com:443 HTTP/1.1

Host: www.test.com:443

Proxy-Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0

 

[I]2024-10-09 09:38:55.167279 [p:29323][s:1471577235][r:520935138] wad_http_str_canonicalize :2198 enc=0 path=/ len=1 changes=0
[I]2024-10-09 09:38:55.167282 [p:29323][s:1471577235][r:520935138] wad_http_req_detect_special :15156 captive_portal detected: false, preflight=(null)
[I]2024-10-09 09:38:55.167285 [p:29323][s:1471577235][r:520935138] wad_http_conn_req_classify :6044 no security profile HTTPS/HTTP, tport=443
716
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.