Application visible also with Certificate Inspection only?

Troubleshooter_73 · ‎12-04-2019

Hi Community, a short question maybe a short answer?

I know the difference between Deep Inspection and Certificate Inspection. But I've struggled on a customers question:

How the Fortigate is able to detect a specific Application Signature (i.e. Whats App Web instead of Whats App Messaging) if I only use Certificate Inspection? The Packets are both encrypted in SSL at Port 443 and if I understand it right, Certificate Inspection only checks the CN in the Certificate? But if I use FortiView I'm able to see which Application is used by the User.

How they do that? The traffic is encrypted and the system shouldn't be able to "see", which Application Signature the packages are contains?

Thanx for any thoughts on this...

FCNSA 5, FCNSP 5, NSE 4

boneyard · ‎12-07-2019

how exactly can only Fortinet say, but i can think of some ways.

application control doesnt only check certificate CNs, but use more things like ports, IPs, ...

but even when looking at the CN it is probably different between both those two, your browser goes to web.whatsapp.com but your phone with probably go to somethingelse.whatsapp.com

there might be different servers that handle web and phones, so destination IPs can be used.

Application visible also with Certificate Inspection only?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website