Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kimsw
New Contributor II

Created on ‎10-30-2024 04:34 AM

Issue regarding decrypted mirror traffic

Hi,

When SSL-decrypted HTTPS traffic is sent to a mirror port and analyzed using Wireshark on a server connected

to that port, unusual packet patterns are observed.

 

wireshark.png

 

 

 

 

wan port IP : 1.235.10.153
destination IP : 54.84.14.5
source IP : 172.30.0.162

 

It seems like there is wrong with hand shake process, and when I monitor this traffic with Zeek, either the request body or the response body always shows 0.

 

Is there something wrong with my FortiGate configurations, or is this expected situation for mirrored traffic?

I need your assist.

 

Thanks.

Labels:
290
0 Kudos
1 Solution
AnthonyH
Staff
Staff

Created on ‎11-02-2024 04:18 PM

Hello kimsw,

 

Could you run a sniffer using the following commands and attach the results here:
diag sniffer packet any 'host 172.30.162 and host 54.84.14.5' 4 0 l

Additionally, could try disable auto-asic-offloading on the firewall policy that is decrypt traffic and review the wireshark logs again?
config firewall policy
edit <id>
set auto-asci-offloading disable
end

Technical Support Engineer,
Anthony.

View solution in original post

219
2 REPLIES 2
AnthonyH
Staff
Staff

Created on ‎11-02-2024 04:18 PM

Hello kimsw,

 

Could you run a sniffer using the following commands and attach the results here:
diag sniffer packet any 'host 172.30.162 and host 54.84.14.5' 4 0 l

Additionally, could try disable auto-asic-offloading on the firewall policy that is decrypt traffic and review the wireshark logs again?
config firewall policy
edit <id>
set auto-asci-offloading disable
end

Technical Support Engineer,
Anthony.
220
kimsw
New Contributor II
In response to AnthonyH

Created on ‎11-03-2024 04:14 PM

At first, it wasn't working well, so I tried setting "set auto-asic-offloading disable" after finding some information, but when I checked the TCPDUMP, it was the same.

 

As I continued testing afterwards, I realized that previously I had been checking the TCPDUMP on the Linux server receiving mirrored traffic, but it was different from the TCPDUMP collected on the FortiGate.The FortiGate was sending traffic normally after setting "set auto-asic-offloading disable".

 

In the end, the problem was resolved.

The cause turned out to be that the Linux server was running on a virtual machine, so I learned that both the FortiGate's offloading and the VM's NIC offloading needed to be disabled together to properly receive the traffic.

 

Thank you.

185
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.