Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
Contributor II

Created on ‎05-22-2025 02:35 AM

Fortigate SSL handshake debug for HTTPS traffic and how to see which is the unsupported cipher?

Hello to Everyone,

 

 

I am playing with the trial VM and I am wondering except doing tcpdump packetsniffer what are the options to debug ssl hanshake issues like unsuppored ciphers ?

 

I am interested for proxy mode rules and flow mode rules and if there is an option when you enable debug flow simillar to fortiweb  (Diagnosing SSL/TLS handshake failures | FortiWeb 7.6.0 | Fortinet Document Library) to see such information?

 

Maybe also a "debug application" option as mentioned in Solved: debug SSL inspection for flow based vs proxy based... - Fortinet Community as for proxy mode "wad" process is used. I am wondering for the ips and wad what debug to enable to see the ssl handshake.

 

 

I enabled the options in Extended logging for SSL traffic - Fortinet Community and I see unsupported ciphers error for 7.2 that is the last trial VM version having flow and proxy mode and I see the issue with SSL failing for proxy mode. Maybe this is why it is stopped after 7.2 :)

 

 

ssl.png

 

 

Labels:
673
0 Kudos
4 REPLIES 4
Yurisk
SuperUser
SuperUser

Created on ‎05-22-2025 09:23 AM

Hi, to your original question - diagnose debug app sslvpn -1 followed by diagnose debug enable

will show you ciphers negotiated.

 

On another note - if you are using free evaluation license, only low/weak encryption is available and so any rule trying to use Deep SSL inspection will not work. 

 

https://yurisk.info
https://yurisk.info
642
filiaks1
Contributor II

Created on ‎05-22-2025 10:33 PM Edited on ‎05-22-2025 10:42 PM

Hey @Yurisk . Thanks for the fast reply. I did not see anything when I enabled diagnose debug app sslvpn -1  and connected to the web server that has https and fortigate emulates the certificate for the clients connecting through it. This seems like a debug command for SSL VPN and for https/ssl flow-based (not proxy based) emulation.

 

Also I started wondering when using "Protecting an SSL server" that is for inbound inspection what process is involved in that ssl encryption and decryption.

 

ssl-inbound.png

 

 

606
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎05-25-2025 10:00 PM

So you basically are trying to do SSL offloading from internal server by Fortigate for the external clients connecting to the Fortigate (it still won't work because of the weak ciphers but ..)?

Then you need other debug, which I am not aware of as didn't ever need to debug it. But may be start with show firewall vip <VIP_name> | grep ssldiagnose firewall vip virtual-server stats

https://yurisk.info
https://yurisk.info
574
filiaks1
Contributor II

Created on ‎05-27-2025 02:07 AM Edited on ‎05-27-2025 02:10 AM

I tried  to debug the ipsengine (for flow based ssl inspection this should be the process not wad) and I found out that there is an ssl debug as well as the ipsengine generates too much logs and I did not see any SSL specific but maybe for non trial firewall that will be the way to go.

 

I even cleared the session and restarted the process with diag test application ipsmonitor 99 and diag sys kill 9 `pidof ipsengine` before the debug.

Just I see that never ipsengine should be debuged in working hours !

 

diagnose debug reset
diagnose debug disable
diagnose debug console timestamp enable
diagnose debug application ssl -1
diagnose debug application ipsengine -1
diagnose debug enable

549
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.