Hi all,
Does anybody know if FortiGate can be configured to do this?
[ul]Today, when virtually any TLS client supports the SNI field, this would be very useful feature.
Thanks,
Vladimir.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FortiGate should look at the SNI by default for webfiltering according to this article:
https://kb.fortinet.com/k....do?externalID=FD34661
your feature to use it in the ipv4 policy is sort of using a webfilter profile with fixed entries in my opinion. but to have it happen automatically is not something how the fortigate operates on layer 4.
the question to keep in mind is how long this be useful, SNI is close to getting encrypted, once that happens the feature becomes useless.
This should be essentially the same as the use of "[link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT]CONNECT hostname:443 HTTP/1.1[/link]" header by Explicit Proxy for HTTPS connections. The Proxy also responds to TCP handshake, then reads this header and makes decisions based on this hostname.
I'm just looking for a way to implement the same thing without using the Explicit Proxy.
A LB will do this with ease and is how multiple websites are hosted on a SLB with numerous pool members. Have you looked at the fortiweb product line? I'm sure it has that ability and probably GEOIP support for the sources. We use to do that with in F5-LTM and iRules to restrict certain websites based on src-address or geo information.
Since the fortigate has a basic SLB, I would explore the fortiweb features.
Ken Felix
PCNSE
NSE
StrongSwan
Probably my question wasn't clear enough - it's about filtering outgoing HTTPS traffic, so LB is not really applicable here.
I just found this CheckPoint paper, "URL Filtering using SNI for HTTPS websites" - it demonstrates how to achieve this, but I'd glad to do it with FortiGate.
FortiGate should look at the SNI by default for webfiltering according to this article:
https://kb.fortinet.com/k....do?externalID=FD34661
your feature to use it in the ipv4 policy is sort of using a webfilter profile with fixed entries in my opinion. but to have it happen automatically is not something how the fortigate operates on layer 4.
the question to keep in mind is how long this be useful, SNI is close to getting encrypted, once that happens the feature becomes useless.
Yes, thanks for the link to the KB, but it raises more questions than it replies to.
[ul]Is there any documentation that goes in depth on the order in which FortiGate processes all this?
Thanks,
Vladimir.
The question I guess are you doing cert or ful-cert inspection in your FGT appliance? the later would be full-decrypt and re-encrypted with your CA cert.
I believe on testing the , the certificate validation and trust worthly of the web-server is never fully intercepted. I.e how much verification is done against CRL/OCSP is very questionable if any is even being done. You can use badssl to verify a lot of this.
http://socpuppet.blogspot.com/2016/12/how-to-test-various-bad-ssl.html
( the last line of that post )
I would enable full-ssl-inspection and test the various test scenario with the fortigate and it would be clear on what it does or does not doing with regards to TLS decryption. Also you will find the earlier fortios and later version works the approx the same and with the same outcome.
Remember the SSL inspection is not a full blown proxy but does provide great prevention for webtraffic
Ken Felix
PCNSE
NSE
StrongSwan
Thank you, Ken,
So do I understand this right?
Let's say, my FortiGate doesn't limit outgoing HTTPS traffic by destination IP (connections to 0.0.0.0/0 are allowed) - but it does limit it by some Static URL Filter, allowing traffic only to some whitelist of sites. Let's say, one of them is [link=https://mail.google.com]mail.google.com[/link].
If a user on my network wishes to establish connection to some [link=https://badsite.com]badsite.com[/link], which resolves to 11.22.33.44, and if this site presents a certificate for [link=https://mail.google.com]mail.google.com[/link] (self-signed or signed by some its own CA) - then all that this user has to do is to add a record into his hosts file: 11.22.33.44 mail.google.com
FortiGate will find the matching firewall rule for destination 11.22.33.44 (which is covered by 0.0.0.0/0), then inspect SNI value (which is mail.google.com) and CN (which is also mail.google.com) and happily allow the connection. It's not possible to make it check whether mail.google.com indeed resolves to 11.22.33.44 or whether the received certificate is issued by some well-known CA (or specifically by GlobalSign, which issued certificate for real [link=https://mail.google.com]mail.google.com[/link]).
So the only way to prevent this is to use Explicit Proxy - in this case, FortiGate will perform DNS lookup by itself and select the destination IP by itself (although CA won't be checked in this case as well).
Is this correct?
Thanks, Vladimir.
Vladimir.Ostrovsky wrote:Thank you, Ken,
...
So the only way to prevent this is to use Explicit Proxy - in this case, FortiGate will perform DNS lookup by itself and select the destination IP by itself (although CA won't be checked in this case as well).
Hey,
using explicit proxy will be the only way to fully achieve what you want.
If you're staying in a transparent setup you could consider using the "Rate URLs by domain and IP Address" feature of the webfilter which would at least block access to sites if the IP based rating would tell something different to the requested host header information.
Also you will need to think about ssl-interception if your requirements should work with TLS 1.3 as well - the host header is encrypted there! Acting only passively on layer 4 will make a firewall blind!
Br,
Roman
PS: Edit Typos
Agreed
And in your example that you give with mail.google.com is exactly how we test F5 Virtual-Servers before we put them in production by change the test machine DNS record to match the site that we will migrated. Since SNI or even http_host header ( HTTP ) would match the url filter, the site is really not the real site but the traffic would be accepted and passed by the NGFW.
You need a full-blown proxy if you want to check DNS and matching AltName or CN in a certificate. And even tho, someone could hack DNS mail.google.com ( just as an example ) and forge DNS replies to a rouge hacker mail.google.com, your proxy would probably not prevent the webbrowser connection unless they look at the CAA dns resource record or had specific certificate-details cached to know the imposter site is NOT mail.google.com ( i.e cert issuer, exp-data,serial# or fingeprint,etc.......). This was why cert-pinning was developed.
BTW: On the CN ( common name ) almost nobody cares of what the CN value is present AND if the Subject if an AlternateName field is present. Almost every web-browser down to mobile devices looks at altName if present and ignores the CN. My understanding on PKI and certificates, the CN never intended to be use for the site hostname , but just some how it was used for this. Almost all sites nowadays seem to use a altName field. Even if it's not a real multiple altName SAN.
i.e ( all of the these are multiple AltNames )
bankofamerica
ebay
paypal
googles various sites
cnn
Even a single site that has a certificate issued is typically still using a altName field
i.e
www.yourdomainsite.com
Alternative Name: DNS:www.yourdomainsite.comsubject: /C=US/ST=Texas/L=Austin/O=mycompany/OU=webshost/CN="businesss unit 1234567 " I wrote a blog post showing what happens & with a few browsers and how the CN fields is igonre, when using altName. http://socpuppet.blogspot.com/2017/11/cn-and-subject-alternative-names-in.html So don't worry about CN when the certificate has the altName field. The RFC was revised to include this also explain the altname RFC5280. On a side note, I signed a CSR where the CN was not even presented in a SANS certificate request. Most CA will not do this btw, they always check for a CN value, but the value could be anything. This also leads to false positive on vulnerability testers. Especially when they find CN values that are not resolvable in DNS and with a Subject AltName is present. i.e CN="*.example.com" altName=www.example.com,example.com Looks good , right ? But that's not resolvable. Just food for thought. Just ignore the CN value & if Subject AltName is being used ;) Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.