Hello,
Is it possible to monitor Tor traffic using Fortinet products such as FortiGate? For example, is it possible to find out which website a user goes to through Tor?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please check https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-and-monitoring-Tor-traffic/ta-p/1...
@hack3rcon
When you enable tor sensors to monitor traffic, Tor connection will not work. It will be blocked by Fortigate because of Deep inspection.
Tor browser seem to not accept fortigate deep inspection certificate, thus not creating a connection to Tor network. But in this case you will be able to see which site or IP it tries to connect.
Created on 11-02-2023 06:07 AM Edited on 11-02-2023 06:10 AM
Hello,
Thank you so much for your reply.
You said "But in this case you will be able to see which site or IP it tries to connect.", so, I can see that the client runs the Tor on the network and what sites it visits through the Tor. Am I right?
You will see the IP that Tor browser will try to create first connection.
When you open Tor browser, it tries to connect to Onion network, and starts to establish a connection.
Now Fortigate needs deep inspection enabled otherwise it wont recognize application used and sites visited.
Deep inspection requires usage of FortiGate certificate. Tor browser does not accept that, thus causing connection to not establish.
In Forward logs you will be able to see first IP that is supposed to give access to onion net. But since Tor is not able to connect to onion net, then no websites are browsed and nothing is shown in fortigate.
Hope this explanation is clear
Created on 11-02-2023 10:04 AM Edited on 11-02-2023 10:05 AM
Hello,
Thank you so much again for your reply.
Your answer raised other questions for me:
1- You said "Deep inspection requires usage of FortiGate certificate.", so, the FortiGate can only see the IP address of the Tor entry node. Can we conclude that the FortiGate either blocks the Tor or allows it to pass through?
2- Regarding the FortiGate certificate, is this the certificate that the FortiGate injects into the network traffic? For example, something similar to a certificate in web browsers.
3- If the deep inspection enabled, then can FortiGate see the usernames and passwords that are entered on websites such as Yahoo! And Gmail?
@hack3rcon
Let's put it this way.
1. You are using a normal browser to navigate to internet. Use a policy with deep inspection in Fortigate.
Fortigate will use it's certificate to decrypt all traffic, scan make decisions based on the findings, encrypt and send it to server side. For client to accept this connection and not think for a MIDM, it needs to have Fortigate certificate installed. This is because client will see fortigate as server side.
Fortigate in this case will create 2 sessions, Client - Fortigate and Fortigate -Server.
On normal browser, you can install fortigate certificate as trusted root authority and creating ssl/tls sessions.
On tor browser, as far as i know, it is difficult to install certificates. This means that Fortigate will allow or deny traffic based on policy configuration, but Tor browser will not trust fortigate, resulting in session not being created.
2. You are right, this is the certificate used to be injected into network traffic
3. In deep inspection traffic is decrypted, so normally you can see usernames and passwords, but there is no way to extract that information, because decryption happens in hardware level and there is not possible for user to view traffic passing through, unless you configure some port mirroring for decrypted traffic as described in this link:
Technical Tip: Mirroring SSL inspected traffic - Fortinet Community
Regards,
Created on 11-03-2023 01:03 PM Edited on 11-03-2023 01:10 PM
Hello,
Thanks again.
Consider a company that uses FortiGate and FortiWeb devices:
1- How can the company install this certificate? Do they have to install it on the users web browser?
2- How can you determine if the administrator of these devices has activated deep inspection or not?
3- If deep inspection is not enabled, and I log into Yahoo! Or Gmail, the device administrator can't find my email password, but can he\she see my email name? For example, he\she notice that my Yahoo! email is example@yahoo.com.
1. Yes, they have to install it on users web browser
2. If you are not administrator of those devices, it is out of this community scope to give instructions on how to find what type of services has admin activated. ;)
3. If deep inspection is not activated, your web browsing data is not visible (including emails and passwords)
Regards,
Created on 11-04-2023 11:12 AM Edited on 11-04-2023 11:13 AM
Hello,
Thanks again for your reply.
1- Is the certificate installation process done automatically without the user's permission?
2- How can I find out if the certificate is installed or not? For example, the certificate of this community was issued by DigiCert Inc. If the certificate is installed, then should I see something like Fortinet instead DigiCert Inc?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.