Hi,

While accessing the website you should be able to see the FGT DPI certificate and not the website server certificate

> from the pcap how we can know

Assuming you want to find out purely based on pcaps:

In order for the FGT to DPI the traffic, it must participate in the TLS hanshake and offer its own keying material (from which encryption keys are derived), thus a DPI'd TLS session cannot be the same on both sides (client↔FGT, FGT↔server).

This means that you need packet captures of both sides. 'diag sniffer packet any "host <server-ip> and port <server-port>" 6 0' a should be sufficient.

In TLS 1.3, the keying material is transported in the key_share extension in ClientHello and ServerHello messages.

In TLS 1.2, it is transported in ServerKeyExchange and ClientKeyExchange messages.

If using TLS 1.2, the easy tell-tale sign is to export the server's certificate from the pcap. If this certificate is signed by a CA that is used by the FGT to DPI, you have an an easy confirmation.

Lastly, you could probably also do a simple byte-to-byte comparison of the TLS handshake payloads on both sides. If they're identical, DPI did not happen.