Ydaew
New Contributor III

SSL Decription

Hello, 

I'm using FortiGate to decrypt web server traffic, how to know if the traffic is really decrypted from the FortiGate log itself ?

1 Solution
emnoc
Esteemed Contributor III

You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM  forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following 

 

http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html

 

The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.

 

e.g ( to see all cert listed for example.com ) 

 

https://crt.sh/?q=%25.example.com

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

1 REPLY 1
emnoc
Esteemed Contributor III

You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM  forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following 

 

http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html

 

The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.

 

e.g ( to see all cert listed for example.com ) 

 

https://crt.sh/?q=%25.example.com

 

Ken Felix

PCNSE 

NSE 

StrongSwan