Problem using Application Control in FortiProxy 7.2.4
I'm trying to use Application Control in a FortiProxy 7.2.4 instance but without any success. This is set up as an Explicit Proxy which forwards all requests to an upstream proxy. I have a policy with deep inspection enabled but the application control set on this policy, has no effect. The application control logs are empty and the logs on the syslog server are showing all urls either unscanned or unknown:
The settings of the policy are shown below: set type explicit-web set status enable set name "testAllPolicy" set uuid 957f632c-fa08-51ed-f3fc-40ae6af42b45 set dstintf "port3" set srcaddr "test-src_ip" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set transparent disable set ztna-tags-match-logic or set internet-service disable set pass-through disable set utm-status enable set webproxy-profile "testWebProxyProfile" set logtraffic all set logtraffic-start enable set log-http-transaction enable set webcache disable set webcache-https disable set http-tunnel-auth disable set ssh-policy-check disable set webproxy-forward-server "upstream-proxy" set disclaimer disable set comments '' set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set decrypted-traffic-mirror '' set max-session-per-user 0 set profile-type single set profile-protocol-options "HTTP-ProxyOptions" set ssl-ssh-profile "test-deep-inspection" set av-profile "test-Antivirus" set ia-profile "test-ReplaceImages" set webfilter-profile "test-URLFiltering" set dlp-sensor '' set file-filter-profile '' set ips-sensor "test-IPS" set application-list "test-block_all" set icap-profile '' set videofilter-profile "testYoutube" set isolator-profile '' set ssh-filter-profile ''
The settings of the SSL/SSH profile are shown below: edit "test-deep-inspection" set comment "Read-only deep inspection profile." config ssl set client-certificate bypass set unsupported-ssl-version block set unsupported-ssl-cipher allow set unsupported-ssl-negotiation allow end config https set ports 443 set status deep-inspection set proxy-after-tcp-handshake disable set client-certificate bypass set unsupported-ssl-version block set unsupported-ssl-cipher allow set unsupported-ssl-negotiation allow set expired-server-cert block set revoked-server-cert block set untrusted-server-cert allow set cert-validation-timeout block set cert-validation-failure block set sni-server-cert-check enable set min-allowed-ssl-version tls-1.1 end
@Sarandis What is your test configuration for below profiles: set profile-protocol-options "HTTP-ProxyOptions" set ssl-ssh-profile "test-deep-inspection" set av-profile "test-Antivirus" set ia-profile "test-ReplaceImages" set webfilter-profile "test-URLFiltering" set dlp-sensor '' set file-filter-profile '' set ips-sensor "test-IPS" set application-list "test-block_all"
If you find that there is much information shared in this post, you may try to open a ticket with our TAC Support.
Thanks for your answer, you can find below the configuration items you asked. They are obfuscated and some irrelevant entries have been truncated.
config firewall profile-protocol-options edit "default" set comment "All default services." config http set ports 80 unset options unset post-lang end
edit "test-deep-inspection" set comment "Read-only deep inspection profile." config https set ports 443 set status deep-inspection set cert-validation-timeout block end set caname "CA_Test" next end
config antivirus profile edit "test-Antivirus" config http set av-scan block set outbreak-prevention block end next end
edit "test-ReplaceImages" set alcohol-block-strictness-level 89 set drugs-block-strictness-level 88 set **bleep**-block-strictness-level 89 set weapons-block-strictness-level 92 set replace-image "tziz" next
config webfilter profile edit "test-URLFiltering" config override set ovrd-dur 5m set ovrd-user-group "test-sapap-group" set profile "YouTube-Profile" end config web set bword-table 1 set safe-search header set youtube-restrict strict end config ftgd-wf unset options config filters edit 1 set category 1 next edit 3 set category 3 next edit 4 set category 4 set action block ... end end set log-all-url enable next
config ips sensor edit "test-IPS" set block-malicious-url enable set scan-botnet-connections block next end
edit "test-block_all" set other-application-log enable set unknown-application-log enable config entries edit 1 set application 15832 23813 17735 15722 38517 24318 29210 38468 40934 40935 40933 39381 43448 22922 23260 35523 17399 next ... set control-default-network-services enable config default-network-services edit 1 set port 443 set services https set violation-action monitor next end next end
With this config in place, FortiProxy will just redirect proxy sessions to the upstream proxy and won't handle them, it does not have any traffic to scan in order to identify the Application. You may need to apply Application control on the upstream proxy that will establish connections with the accessed destinations and will handle all the traffic.
You've set client-certificate bypass. Make sure this setting aligns with your actual needs and won't interfere with the SSL inspection. You've already enabled Deep Inspection, which is good. But make sure that the clients trust the FortiProxy CA certificate; otherwise, SSL inspection will fail. You mentioned that FortiProxy forwards all requests to an upstream proxy. Make sure that this upstream proxy is not altering the traffic in a way that prevents FortiProxy from performing application control. Ensure there are no firewalls or other network devices that could be affecting the traffic before it reaches the FortiProxy.
Can you please explain how the client-certificates settings can affect the SSL inspection? In any case, client certificate is set to bypass and SSL client certificate is set to do-not-offer, which i think are the settings for not inspecting client certificates.
Yes, the clients trust the FortiProxy CA. Regarding the upstream proxy, i tried the same config without upstream proxy, but nothing changed. All other network firewalls are not altering the HTTP traffic.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.