Hi,
When SSL-decrypted HTTPS traffic is sent to a mirror port and analyzed using Wireshark on a server connected
to that port, unusual packet patterns are observed.
wan port IP : 1.235.10.153
destination IP : 54.84.14.5
source IP : 172.30.0.162
It seems like there is wrong with hand shake process, and when I monitor this traffic with Zeek, either the request body or the response body always shows 0.
Is there something wrong with my FortiGate configurations, or is this expected situation for mirrored traffic?
I need your assist.
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello kimsw,
Could you run a sniffer using the following commands and attach the results here:
diag sniffer packet any 'host 172.30.162 and host 54.84.14.5' 4 0 l
Additionally, could try disable auto-asic-offloading on the firewall policy that is decrypt traffic and review the wireshark logs again?
config firewall policy
edit <id>
set auto-asci-offloading disable
end
Hello kimsw,
Could you run a sniffer using the following commands and attach the results here:
diag sniffer packet any 'host 172.30.162 and host 54.84.14.5' 4 0 l
Additionally, could try disable auto-asic-offloading on the firewall policy that is decrypt traffic and review the wireshark logs again?
config firewall policy
edit <id>
set auto-asci-offloading disable
end
At first, it wasn't working well, so I tried setting "set auto-asic-offloading disable" after finding some information, but when I checked the TCPDUMP, it was the same.
As I continued testing afterwards, I realized that previously I had been checking the TCPDUMP on the Linux server receiving mirrored traffic, but it was different from the TCPDUMP collected on the FortiGate.The FortiGate was sending traffic normally after setting "set auto-asic-offloading disable".
In the end, the problem was resolved.
The cause turned out to be that the Linux server was running on a virtual machine, so I learned that both the FortiGate's offloading and the VM's NIC offloading needed to be disabled together to properly receive the traffic.
Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.