Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jammac
New Contributor III

FortiProxy Eval and SSL

Hello.

 

Two questions:

 

1) Does FortiProxy Eval (VM) allow to do SSL interception? I tried (enabled deep inspection for a policy item) but nothing happens: I just see the original certs being used when browsing through the proxy.

 

2) I would like to know if HTTPS proxy scheme is available with FPX.
(see https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/proxy.md#HTTPS-proxy-scheme)
The reason is I would like to have the browser-proxy connection encrypted.
When I connect to fpx:8080 using TLS, it answers using TLS but does not transmit any certificate...

 

 

openssl s_client -connect fpx.example.com:8080
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK

 

 

Thanks.

UPDATE: Hmm. It's responding the same on (mgmt) port 443...

7 REPLIES 7
gfleming
Staff
Staff

https://docs.fortinet.com/document/fortiproxy/7.2.0/administration-guide/669878/create-or-edit-an-ss...

 

Did you follow these steps? You might be hitting some exemption? Or your policy is not being hit for some reason.

Cheers,
Graham
jammac
New Contributor III

Admin interface doesn't even respond to SSL request.

HTTPS on MGMT is enabled, TCP session is built.

FPX does not send a server certificate on MGMT port 443.

gfleming

Oh OK so your issue is you cannot connect to admin interface over HTTPs?

 

Can you SSH?

 

Can you post output of "show system global"

 

 

Cheers,
Graham
jammac
New Contributor III

I started with SSL interception but then realized that SSL to mgmt doesn't even work with the same symptoms. So I'm going a step back and trying to find out first what could be the reason for SSL to mgmt not working (maybe the simpler issue to solve which is going to solve the other issue at the same time).

 

FortiProxy-VM64 # show system global
config system global
    set admin-server-cert "Fortinet_Factory"
    set alias "FortiProxy-VM64"
    set hostname "FortiProxy-VM64"
    set timezone 26
end

 

gfleming

Does Fortinet_Factory exist in your System->Certificates store?

 

Try creating a new cert in System->Certificates and applying that as your admin-server-cert.

Cheers,
Graham
jammac
New Contributor III

1) After generating a certificate myself, mgmt becomes available using HTTPs.

 

2) So I also created a custom CA for SSL inspection. No luck. It still gives either "exempt-unsupported" or "certificate-probe-failed".

 

3) HTTPs connection to proxy port 8080 also is not working. (required for HTTPS proxy scheme)

 

It looks like there may be some strong encryption limitations with evals. (Explicit Proxy > SSL Algorithm only provides option > LOW)

 

That may prevent SSL inspection, not sure though about HTTPs proxy scheme.

gfleming

Interesting. I'm not familiar with FortiProxy evaluation limitations. However, FortiGate evaluation is limited to low encryption: https://docs.fortinet.com/document/fortigate-private-cloud/7.0.0/kvm-administration-guide/504166/for... 

 

Could not find any similar documentation for FortiProxy though. 

 

Are you running the built-in 15-day evaluation license? 

 

Perhaps you need to reach out to your Fortinet Partner/SE and get a proper 60-day eval license.

Cheers,
Graham