IPv6 SSL inspection not working

train_wreck · ‎02-08-2018

I have a Fortigate 50E on 5.6.3 that has a successful SSL inspection and AV/Antispam scanning enabled for IPv4 LAN-WAN traffic. I have recently now enabled IPv6 DHCP prefix delegation and now have dual-stack IPv4 and IPv6.

I am attempting to have IPv6 traffic inspected & scanned. I have the following IPv6 policies:

Gateway # show firewall ssl-ssh-profile custom-deep-inspection config firewall ssl-ssh-profile edit "custom-deep-inspection" set comment "Customizable deep inspection profile." config ssl set inspect-all deep-inspection end config ssl-exempt edit 1 set type address set address "*.archlinux.org" next edit 2 set type address set address "*.cisco.com" next edit 3 set type address set address "*.netflix.com" next edit 4 set type address set address "*.nflxvideo.net" next edit 5 set type address set address "*.roku.com" next edit 6 set type address set address "adobe" next edit 7 set type address set address "Adobe Login" next edit 8 set type address set address "android" next edit 9 set type address set address "apple" next edit 10 set type address set address "appstore" next edit 11 set type address set address "auth.gfx.ms" next edit 12 set type address set address "autoupdate.opera.com" next edit 13 set type address set address "citrix" next edit 14 set type address set address "dropbox.com" next edit 15 set type address set address "eease" next edit 16 set type address set address "F30E_remote_subnet2" next edit 17 set type address set address "F30E_remote_subnet_1" next edit 18 set type address set address "firefox update server" next edit 19 set type address set address "fortinet" next edit 20 set type address set address "google-drive" next edit 21 set type address set address "google-play" next edit 22 set type address set address "google-play2" next edit 23 set type address set address "google-play3" next edit 24 set type address set address "googleapis.com" next edit 25 set type address set address "Gotomeeting" next edit 26 set type address set address "icloud" next edit 27 set type address set address "itunes" next edit 28 set type address set address "microsoft" next edit 29 set type address set address "ROKU" next edit 30 set type address set address "skype" next edit 31 set type address set address "softwareupdate.vmware.com" next edit 32 set type address set address "swscan.apple.com" next edit 33 set type address set address "update.microsoft.com" next edit 34 set type address set address "verisign" next edit 35 set type address set address "Windows update 2" next edit 36 set fortiguard-category 31 next edit 37 set fortiguard-category 33 next end next end Gateway # show firewall policy6 config firewall policy6 edit 1 set name "6-LAN-WAN" set uuid e107d232-0983-51e8-773c-106addad33df set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set spamfilter-profile "default" set profile-protocol-options "default" set ssl-ssh-profile "custom-deep-inspection" next edit 2 set name "6-wifi-WAN" set uuid 4990080c-0988-51e8-fdcb-e98d8c011868 set srcintf "wifi" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set name "6-wan-lan-ping6" set uuid 4a82ca62-0990-51e8-5422-9971448afc15 set srcintf "wan1" set dstintf "lan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "PING6" next end

This is the same process I used for IPv4 traffic on the "LAN-WAN" IPv4 policy. But IPv6 clients do not appear to be inspected; IPv6 clients on the LAN are not seeing the HTTPS certificate replaced with the Fortigate's SSL scanning cert, like they are with IPv4 traffic.

What is the issue?

train_wreck · ‎03-04-2018

Anyone??

emnoc · ‎03-05-2018

Did you run diag debug flow ? Also when you say replaced, do mean in the CAchain as shown in the browser?

And lastly, what type of client-browsers?

I would run personally run "curl" or "gnutls-cli" if you have a macosx machine and witness what is display from a TLS certificate chain. Certain browser are caching certificate details and these are not correctly displayed and more so if you change networks.

PCNSE

NSE

StrongSwan

ericli_FTNT · ‎03-05-2018

Hi train_wreck,

Thanks for asking. I have already reproduced your issue in my lab and reported this issue to developer. A fixing patch will be released as soon as possible.

For temporary walk around, you could go to "config ssl/unset inspecte-all" and reconfigure your ports if necessary. I just verified that the issued is triggered by this option enabled.

Will keep you updated!

train_wreck · ‎03-08-2018

OK. Curious, do you work for Fortinet?