Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vladimir_Ostrovsky
New Contributor

Firewall decisions based on SNI field?

Hi all,

 

Does anybody know if FortiGate can be configured to do this?

[ul]
  • When a client opens a TCP connection to predefined port (typically, HTTPS), respond to the TCP handshake on behalf of a server.
  • Accept the "Client Hello" TLS message from the client,
  • Read the server's hostname specified in the SNI field of the "Client Hello".
  • Check the hostname against "destination" of the firewall policies - maybe by performing its own DNS resolution to see if the IP falls into allowed ranges, or maybe by textual comparison if the destination is set as some regexp object?
  • Make a Allow/Block decision based on the result?[/ul]

    Today, when virtually any TLS client supports the SNI field, this would be very useful feature.

     

    Thanks,

    Vladimir.

  • 1 Solution
    boneyard

    FortiGate should look at the SNI by default for webfiltering according to this article:

     

    https://kb.fortinet.com/k....do?externalID=FD34661

     

    your feature to use it in the ipv4 policy is sort of using a webfilter profile with fixed entries in my opinion. but to have it happen automatically is not something how the fortigate operates on layer 4.

     

    the question to keep in mind is how long this be useful, SNI is close to getting encrypted, once that happens the feature becomes useless.

    View solution in original post

    14 REPLIES 14
    Vladimir_Ostrovsky

    romanr, emnoc - thank you, gentlemen. :)

     

    I just ran a small proof-of-concept - defined a Static URL Filter that allows traffic to single site only, testsite.com, and blocks all others. Then associated it to firewall policy, which, on the contrary, allow traffic to ALL:

    config webfilter urlfilter     edit 1         set name Test_Static_URL_Filter         config entries             edit 1                 set url testsite.com                 set action allow             next             edit 2                 set url *                 set type wildcard                 set action block             next         end     next end

    config firewall policy     edit 0         set name Clients_to_Static_URLs         set srcintf Clients_zone         set dstintf Internet_zone         set srcaddr Clients         set dstaddr all         set action accept         set schedule always         set service ALL         set utm-status enable         set webfilter-profile Test_Static_URL_Filter         set ssl-ssh-profile certificate-inspection     next end

     

    Verified that this works. Then redefined IP address of testsite.com on the client machine by adding into its hosts file:

    11.22.33.44    testsite.com

     

    As long as the client connects to 11.22.33.44 with SNI "testsite.com" (or no SNI at all), and this server responds with a certificate that has "testsite.com" in CN/SAN fields, the connection will succeed - because FortiGate doesn't check whether testsite.com indeed resolves to this IP.

     

    So this can be used to circumvent FortiGate limitations. Let's say, I'm on the network whose admin allows access to particular categories of sites only, such as banking. If I have an OpenVPN server outside, which can present a certificate with a name of a bank, and if I can edit my hosts file, I can establish outgoing VPN connection from this network.

     

    Regards,

    Vladimir.

    localhost

    This is an interesting case

    Could you give this a try?

     

    Enable Full SSL inspection on the profile. Block untrusted certificates and exempt all web categories from SSL inspection.

    Since your certificate is not signed by a trusted CA and should be blocked by the Fortigate.

     

    I wonder if this blocks your bypass attempt and at the same time allows access to other sites and services without doing any deep ssl inspection.

     

    config firewall ssl-ssh-profile

     edit "test123"
            config ssl
                set inspect-all deep-inspection
                set untrusted-cert block
            end
            config https
            end
            config ftps
            end
            config imaps
            end
            config pop3s
            end
            config smtps
            end
            config ssh
                set ports 22
                set status disable
            end
            config ssl-exempt
                edit 1
                    set fortiguard-category 7
                next
                edit 2
                    set fortiguard-category 17
                next
                edit 3
                    set fortiguard-category 9
                next
                edit 4
                    set fortiguard-category 64
                next
                edit 5
                    set fortiguard-category 2
                next
                edit 6
                    set fortiguard-category 53
                next
                edit 7
                    set fortiguard-category 29
                next
                edit 8
                    set fortiguard-category 89
                next
                edit 9
                    set fortiguard-category 18
                next
                edit 10
                    set fortiguard-category 49
                next
                edit 11
                    set fortiguard-category 92
                next
                edit 12
                    set fortiguard-category 83
                next
                edit 13
                    set fortiguard-category 77
                next
                edit 14
                    set fortiguard-category 82
                next
                edit 15
                    set fortiguard-category 15
                next
                edit 16
                    set fortiguard-category 71
                next
                edit 17
                    set fortiguard-category 5
                next
                edit 18
                    set fortiguard-category 85
                next
                edit 19
                    set fortiguard-category 1
                next
                edit 20
                    set fortiguard-category 54
                next
                edit 21
                    set fortiguard-category 88
                next
                edit 22
                    set fortiguard-category 30
                next
                edit 23
                    set fortiguard-category 28
                next
                edit 24
                    set fortiguard-category 6
                next
                edit 25
                    set fortiguard-category 12
                next
                edit 26
                    set fortiguard-category 24
                next
                edit 27
                    set fortiguard-category 31
                next
                edit 28
                    set fortiguard-category 58
                next
                edit 29
                    set fortiguard-category 19
                next
                edit 30
                    set fortiguard-category 11
                next
                edit 31
                    set fortiguard-category 20
                next
                edit 32
                    set fortiguard-category 43
                next
                edit 33
                    set fortiguard-category 40
                next
                edit 34
                    set fortiguard-category 51
                next
                edit 35
                    set fortiguard-category 3
                next
                edit 36
                    set fortiguard-category 33
                next
                edit 37
                    set fortiguard-category 4
                next
                edit 38
                    set fortiguard-category 50
                next
                edit 39
                    set fortiguard-category 52
                next
                edit 40
                    set fortiguard-category 69
                next
                edit 41
                    set fortiguard-category 75
                next
                edit 42
                    set fortiguard-category 76
                next
                edit 43
                    set fortiguard-category 34
                next
                edit 44
                    set fortiguard-category 66
                next
                edit 45
                    set fortiguard-category 26
                next
                edit 46
                    set fortiguard-category 57
                next
                edit 47
                    set fortiguard-category 55
                next
                edit 48
                    set fortiguard-category 35
                next
                edit 49
                    set fortiguard-category 90
                next
                edit 50
                    set fortiguard-category 91
                next
                edit 51
                    set fortiguard-category 36
                next
                edit 52
                    set fortiguard-category 70
                next
                edit 53
                    set fortiguard-category 13
                next
                edit 54
                    set fortiguard-category 95
                next
                edit 55
                    set fortiguard-category 8
                next
                edit 56
                    set fortiguard-category 72
                next
                edit 57
                    set fortiguard-category 87
                next
                edit 58
                    set fortiguard-category 48
                next
                edit 59
                    set fortiguard-category 80
                next
                edit 60
                    set fortiguard-category 61
                next
                edit 61
                    set fortiguard-category 62
                next
                edit 62
                    set fortiguard-category 38
                next
                edit 63
                    set fortiguard-category 14
                next
                edit 64
                    set fortiguard-category 59
                next
                edit 65
                    set fortiguard-category 78
                next
                edit 66
                    set fortiguard-category 39
                next
                edit 67
                    set fortiguard-category 93
                next
                edit 68
                    set fortiguard-category 79
                next
                edit 69
                    set fortiguard-category 41
                next
                edit 70
                    set fortiguard-category 81
                next
                edit 71
                    set fortiguard-category 63
                next
                edit 72
                    set fortiguard-category 42
                next
                edit 73
                    set fortiguard-category 37
                next
                edit 74
                    set fortiguard-category 44
                next
                edit 75
                    set fortiguard-category 86
                next
                edit 76
                    set fortiguard-category 46
                next
                edit 77
                    set fortiguard-category 67
                next
                edit 78
                    set fortiguard-category 25
                next
                edit 79
                    set fortiguard-category 65
                next
                edit 80
                    set fortiguard-category 47
                next
                edit 81
                    set fortiguard-category 16
                next
                edit 82
                    set fortiguard-category 94
                next
                edit 83
                    set fortiguard-category 68
                next
                edit 84
                    set fortiguard-category 56
                next
                edit 85
                    set fortiguard-category 84
                next
                edit 86
                    set fortiguard-category 23
                next
            end
        next
    end

     

    emnoc
    Esteemed Contributor III

    That might work if  the cert is untrusted if that is the case.It would no help if a go out and build a cert for www.gmail.com from a trust CA tho.

     

    Ken Felix

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Vladimir_Ostrovsky

    localhost, thanks - the "set untrusted-cert block" command in fact can prevent a scenario like the one I described above, but only if deep inspection is enabled.

    In fact, this command becomes available in CLI only in conjunction with "set inspect-all deep-inspection" (or "set status deep-inspection" under "config https").

     

    emnoc, if you can get a Gmail cert from a trusted CA, then we have a problem much bigger than the one above. :)

     

    emnoc
    Esteemed Contributor III

     emnoc, if you can get a Gmail cert from a trusted CA, then we have a problem much bigger than the one above. :)

     

    Google uses  a CAA records for controlling & preventing that, but 99% of other HTTPs websites do not. So in reality, if I submit a CSR for www.paypal.com to a CA that signs it. Install it on my fake www.paypal.com and intercept your dns, I could send you to fake www.paypal.com and you would not be of any wiser.

     

    Also keep in mind, MiTM inspections devices are doing this certificate forging,  so in reality your have no clue if the site you accessing is the real [link=http://www.<inserthostnamehere>.com]www.<insert_host_namehere>.com[/link]

     

    As long as the cert was issued by a trusted CA installed in your OS/WebBrowser, you would trust the the site. This is why the words "HTTPS  and security" does not mean the site is really secured.

     

    Just something to thing about. Please google "DNSpionage"  to get an ideal of what and who has done this in the past. In a lot of these attempts and attacks, the site was intercept and traffic diverted from the real sites.

     

    So unless you have a "EV" cert or you know the website real certificate by hash/fingerpint/sn# and compare that from the response of the webserver, you would have no clue if the site is really who they are.

     

    btw: I did just this with a common airport internet provider back in the early 2000s, can't go into details and do not want to self incriminate { Statute of limitations} , but it was rather easy to post a fake site to collect a user login attempt ;). Again, the webclients (phone laptops _)  in the airport trying to use the free internet, but  gave me their  username and password that I collected in a simple file. I did this as a PoC by standing up a fake WAP and a faked website page that was copied from the real captive portal site. . Granted today things are much better designed.

     

    So next time you see one of these , be advise ;)

     

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors