Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
train_wreck
New Contributor III

IPv6 SSL inspection not working

I have a Fortigate 50E on 5.6.3 that has a successful SSL inspection and AV/Antispam scanning enabled for IPv4 LAN-WAN traffic. I have recently now enabled IPv6 DHCP prefix delegation and now have dual-stack IPv4 and IPv6.

 

I am attempting to have IPv6 traffic inspected & scanned. I have the following IPv6 policies:

 

Gateway # show firewall ssl-ssh-profile custom-deep-inspection config firewall ssl-ssh-profile     edit "custom-deep-inspection"         set comment "Customizable deep inspection profile."         config ssl             set inspect-all deep-inspection         end         config ssl-exempt             edit 1                 set type address                 set address "*.archlinux.org"             next             edit 2                 set type address                 set address "*.cisco.com"             next             edit 3                 set type address                 set address "*.netflix.com"             next             edit 4                 set type address                 set address "*.nflxvideo.net"             next             edit 5                 set type address                 set address "*.roku.com"             next             edit 6                 set type address                 set address "adobe"             next             edit 7                 set type address                 set address "Adobe Login"             next             edit 8                 set type address                 set address "android"             next             edit 9                 set type address                 set address "apple"             next             edit 10                 set type address                 set address "appstore"             next             edit 11                 set type address                 set address "auth.gfx.ms"             next             edit 12                 set type address                 set address "autoupdate.opera.com"             next             edit 13                 set type address                 set address "citrix"             next             edit 14                 set type address                 set address "dropbox.com"             next             edit 15                 set type address                 set address "eease"             next             edit 16                 set type address                 set address "F30E_remote_subnet2"             next             edit 17                 set type address                 set address "F30E_remote_subnet_1"             next             edit 18                 set type address                 set address "firefox update server"             next             edit 19                 set type address                 set address "fortinet"             next             edit 20                 set type address                 set address "google-drive"             next             edit 21                 set type address                 set address "google-play"             next             edit 22                 set type address                 set address "google-play2"             next             edit 23                 set type address                 set address "google-play3"             next             edit 24                 set type address                 set address "googleapis.com"             next             edit 25                 set type address                 set address "Gotomeeting"             next             edit 26                 set type address                 set address "icloud"             next             edit 27                 set type address                 set address "itunes"             next             edit 28                 set type address                 set address "microsoft"             next             edit 29                 set type address                 set address "ROKU"             next             edit 30                 set type address                 set address "skype"             next             edit 31                 set type address                 set address "softwareupdate.vmware.com"             next             edit 32                 set type address                 set address "swscan.apple.com"             next             edit 33                 set type address                 set address "update.microsoft.com"             next             edit 34                 set type address                 set address "verisign"             next             edit 35                 set type address                 set address "Windows update 2"             next             edit 36                 set fortiguard-category 31             next             edit 37                 set fortiguard-category 33             next         end     next end Gateway # show firewall policy6 config firewall policy6     edit 1         set name "6-LAN-WAN"         set uuid e107d232-0983-51e8-773c-106addad33df         set srcintf "lan"         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set utm-status enable         set av-profile "default"         set spamfilter-profile "default"         set profile-protocol-options "default"         set ssl-ssh-profile "custom-deep-inspection"     next     edit 2         set name "6-wifi-WAN"         set uuid 4990080c-0988-51e8-fdcb-e98d8c011868         set srcintf "wifi"         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next     edit 3         set name "6-wan-lan-ping6"         set uuid 4a82ca62-0990-51e8-5422-9971448afc15         set srcintf "wan1"         set dstintf "lan"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "PING6"     next end

 

This is the same process I used for IPv4 traffic on the "LAN-WAN" IPv4 policy. But IPv6 clients do not appear to be inspected; IPv6 clients on the LAN are not seeing the HTTPS certificate replaced with the Fortigate's SSL scanning cert, like they are with IPv4 traffic.

 

What is the issue?

4 REPLIES 4
train_wreck
New Contributor III

Anyone??

emnoc
Esteemed Contributor III

Did you run diag debug flow ? Also when you say  replaced, do mean in the CAchain as shown in the browser?

 

And lastly, what type of client-browsers?

 

I would  run  personally  run "curl"  or "gnutls-cli" if you have a macosx machine and witness what is display from a TLS certificate chain. Certain browser are caching certificate details and these are not correctly displayed and more so if you  change networks.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ericli_FTNT
Staff
Staff

Hi train_wreck,

Thanks for asking. I have already reproduced your issue in my lab and reported this issue to developer. A fixing patch will be released as soon as possible.

 

For temporary walk around, you could go to "config ssl/unset inspecte-all" and reconfigure your ports if necessary. I just verified that the issued is triggered by this option enabled.

 

Will keep you updated!

train_wreck

OK. Curious, do you work for Fortinet?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors