Hello.
Two questions:
1) Does FortiProxy Eval (VM) allow to do SSL interception? I tried (enabled deep inspection for a policy item) but nothing happens: I just see the original certs being used when browsing through the proxy.
2) I would like to know if HTTPS proxy scheme is available with FPX.
(see https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/proxy.md#HTTPS-proxy-scheme)
The reason is I would like to have the browser-proxy connection encrypted.
When I connect to fpx:8080 using TLS, it answers using TLS but does not transmit any certificate...
openssl s_client -connect fpx.example.com:8080
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK
Thanks.
UPDATE: Hmm. It's responding the same on (mgmt) port 443...
Did you follow these steps? You might be hitting some exemption? Or your policy is not being hit for some reason.
Admin interface doesn't even respond to SSL request.
HTTPS on MGMT is enabled, TCP session is built.
FPX does not send a server certificate on MGMT port 443.
Oh OK so your issue is you cannot connect to admin interface over HTTPs?
Can you SSH?
Can you post output of "show system global"
I started with SSL interception but then realized that SSL to mgmt doesn't even work with the same symptoms. So I'm going a step back and trying to find out first what could be the reason for SSL to mgmt not working (maybe the simpler issue to solve which is going to solve the other issue at the same time).
FortiProxy-VM64 # show system global
config system global
set admin-server-cert "Fortinet_Factory"
set alias "FortiProxy-VM64"
set hostname "FortiProxy-VM64"
set timezone 26
end
Does Fortinet_Factory exist in your System->Certificates store?
Try creating a new cert in System->Certificates and applying that as your admin-server-cert.
1) After generating a certificate myself, mgmt becomes available using HTTPs.
2) So I also created a custom CA for SSL inspection. No luck. It still gives either "exempt-unsupported" or "certificate-probe-failed".
3) HTTPs connection to proxy port 8080 also is not working. (required for HTTPS proxy scheme)
It looks like there may be some strong encryption limitations with evals. (Explicit Proxy > SSL Algorithm only provides option > LOW)
That may prevent SSL inspection, not sure though about HTTPs proxy scheme.
Interesting. I'm not familiar with FortiProxy evaluation limitations. However, FortiGate evaluation is limited to low encryption: https://docs.fortinet.com/document/fortigate-private-cloud/7.0.0/kvm-administration-guide/504166/for...
Could not find any similar documentation for FortiProxy though.
Are you running the built-in 15-day evaluation license?
Perhaps you need to reach out to your Fortinet Partner/SE and get a proper 60-day eval license.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.