FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lol
Staff
Staff
Article Id 348428
Description This article describes an issue where web filter or any other security profile is not applied to TLS traffic for proxy-based policies
Scope FortiGate.
Solution

The solution is to revert the profile protocol options to the default and avoid configuring port 443 for HTTP inspection. Per default the protocol options define HTTP to be detected only on port 80:

 

config firewall profile-protocol-options
    edit "default"
        set comment "All default services."
            config HTTP
                set ports 80 <----- HTTP detected on port 80.

 

A default SSL profile is per default configured to listen on port 443 to detect TLS-encrypted traffic. Traffic on port 443 is then sent to for example the wad process for TLS decryption (deep inspection) or TLS inspection (certificate inspection).

 

The default deep inspection profile:

 

config firewall ssl-ssh-profile

    edit "deep-inspection"
        set comment "Read-only deep inspection profile."
            config https
                set ports 443 <----- TLS expected on port 443.
                set status deep-inspection

 

The default certificate inspection profile:

 

config firewall ssl-ssh-profile

    edit "certificate-inspection"
        set comment "Read-only SSL handshake inspection profile."
            config https
                set ports 443 <----- TLS expected on port 443.
                set status certificate-inspection

 

If the protocol options are configured to treat ports 80 and 443 as HTTP then the TLS profiles will no longer be applied. Modified protocol options that expect HTTP on port 443:

 

config firewall profile-protocol-options
    edit "HTTP_on_port_443"
        config HTTP
            set ports 80 443 <----- HTTP detected on ports 80 and 443.

 

Any traffic on port 443 will be recognized as plain text HTTP and not be sent to the sub-engines for TLS inspection. This will result in security profiles to no longer work on port 443.

 

For example, when using a web filter, the configured categories will no longer be blocked but passed through without any web filter scanning. The reason here is that a web filter cannot work on TLS traffic unless it is deep or the certificate is inspected to detect the accessed host or certificate SNI.

Contributors