Hi Everyone,
Lets say I have an application that I need to bypass from deep inspection, Onenote for example. In 5.2 we had the command "diag debug application ssl" that would should be the cn/sni of the certificates as the session was happening. Within 5.4 and 5.6 that command is missing. How would I go about doing the same thing? If I need to bypass it seems like web filtering is the only option when its monitoring to pull the fqdn that we may need to bypass.
Thank you for your time
Hi Eugene,
The new commands are "diagnose wad enable category ssl". You can modify the level at "diagnose wad enable level <>" to determine how detailed you want your command printed out. Then "diagnose debug enable".
I did a sample with "apis.google.com".
wad_ssl_sock_port_exec_up_forward(10691): sp=0x317182b8/6 wad_ssl_proxy_srv_on_client_hello(5835): sp=0x317182b8/6 cert_inspect=0 minor ver/min/max=3/0/3. wad_ssl_proxy_srv_on_client_hello(5865): sp(0x317182b8) get clt_hello svr_name(api.google.com), copy to hostname(0x32761330) wad_ssl_proxy_srv_on_client_hello(5924): Sending https exempt request for hostname=api.google.com wad_ssl_port_exempt_https_request(4446): sec_profile=0x318d442c url_filter=0 deep_scan=1 cert_inspect=0 wad_ssl_port_exempt_https_request(4452): ssl-exempt result: exempt_type=exempt_type_addr hostname(0x32761330)=api.google.com wad_tp_webproxy_ssl_exempt_log(213): sent LOG_DATA_SSLACTION
Hope this answers your question.
HoMing
hmtay wrote:Hi Eugene,
The new commands are "diagnose wad enable category ssl". You can modify the level at "diagnose wad enable level <>" to determine how detailed you want your command printed out. Then "diagnose debug enable".
I did a sample with "apis.google.com".
wad_ssl_sock_port_exec_up_forward(10691): sp=0x317182b8/6 wad_ssl_proxy_srv_on_client_hello(5835): sp=0x317182b8/6 cert_inspect=0 minor ver/min/max=3/0/3. wad_ssl_proxy_srv_on_client_hello(5865): sp(0x317182b8) get clt_hello svr_name(api.google.com), copy to hostname(0x32761330) wad_ssl_proxy_srv_on_client_hello(5924): Sending https exempt request for hostname=api.google.com wad_ssl_port_exempt_https_request(4446): sec_profile=0x318d442c url_filter=0 deep_scan=1 cert_inspect=0 wad_ssl_port_exempt_https_request(4452): ssl-exempt result: exempt_type=exempt_type_addr hostname(0x32761330)=api.google.com wad_tp_webproxy_ssl_exempt_log(213): sent LOG_DATA_SSLACTION
Hope this answers your question.
HoMing
I've been messing with 5.4 and 5.6, 5.4 doesnt seem to have all the commands you mentioned. 5.6 does have something close, Is the syntax different in 5.4?
In 5.4, try "diagnose debug application wad -1", "diagnose debug enable".
The commands I have given you so far are for proxy-mode inspection.
If you are using flow-mode inspection for a particular policy, you can identify if deep-inspection is used based on the flags when you enable "diagnose ips debug enable ssl". You might want to enable other debug logs along with ssl to get more information about the lines. Go to "diagnose ips debug enable ?" to find out what other options you have.
Certificate-inspection:
[26650/0]create_run_mode: SSL CA name: Fortinet_CA_SSL, untrust CA name: Fortinet_CA_Untrusted, VDOM: 0, enable: 0, mode: 1, verifyca: 1, invalid_cert_action: 2, untrust_ca_action: 4, whitelist: 0
Deep-inspection: [26650/0]create_run_mode: SSL CA name: Fortinet_CA_SSL, untrust CA name: Fortinet_CA_Untrusted, VDOM: 0, enable: 1, mode: 2, verifyca: 1, invalid_cert_action: 2, untrust_ca_action: 4, whitelist: 0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.