Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EMES
Contributor

SSL Deep Packet Inspection Troubleshooting Methodology

Hi Everyone,

 

Lets say I have an application that I need to bypass from deep inspection, Onenote for example. In 5.2 we had the command "diag debug application ssl" that would should be the cn/sni of the certificates as the session was happening. Within 5.4 and 5.6 that command is missing. How would I go about doing the same thing? If I need to bypass it seems like web filtering is the only option when its monitoring to pull the fqdn that we may need to bypass.

 

Thank you for your time

3 REPLIES 3
hmtay_FTNT
Staff
Staff

Hi Eugene,

 

The new commands are "diagnose wad enable category ssl". You can modify the level at "diagnose wad enable level <>" to determine how detailed you want your command printed out. Then "diagnose debug enable".

 

I did a sample with "apis.google.com". 

 

wad_ssl_sock_port_exec_up_forward(10691): sp=0x317182b8/6 wad_ssl_proxy_srv_on_client_hello(5835): sp=0x317182b8/6 cert_inspect=0 minor ver/min/max=3/0/3. wad_ssl_proxy_srv_on_client_hello(5865): sp(0x317182b8) get clt_hello svr_name(api.google.com), copy to hostname(0x32761330) wad_ssl_proxy_srv_on_client_hello(5924): Sending https exempt request for hostname=api.google.com wad_ssl_port_exempt_https_request(4446): sec_profile=0x318d442c url_filter=0 deep_scan=1 cert_inspect=0 wad_ssl_port_exempt_https_request(4452): ssl-exempt result: exempt_type=exempt_type_addr hostname(0x32761330)=api.google.com wad_tp_webproxy_ssl_exempt_log(213): sent LOG_DATA_SSLACTION

 

Hope this answers your question.

 

HoMing

EMES

hmtay wrote:

Hi Eugene,

 

The new commands are "diagnose wad enable category ssl". You can modify the level at "diagnose wad enable level <>" to determine how detailed you want your command printed out. Then "diagnose debug enable".

 

I did a sample with "apis.google.com". 

 

wad_ssl_sock_port_exec_up_forward(10691): sp=0x317182b8/6 wad_ssl_proxy_srv_on_client_hello(5835): sp=0x317182b8/6 cert_inspect=0 minor ver/min/max=3/0/3. wad_ssl_proxy_srv_on_client_hello(5865): sp(0x317182b8) get clt_hello svr_name(api.google.com), copy to hostname(0x32761330) wad_ssl_proxy_srv_on_client_hello(5924): Sending https exempt request for hostname=api.google.com wad_ssl_port_exempt_https_request(4446): sec_profile=0x318d442c url_filter=0 deep_scan=1 cert_inspect=0 wad_ssl_port_exempt_https_request(4452): ssl-exempt result: exempt_type=exempt_type_addr hostname(0x32761330)=api.google.com wad_tp_webproxy_ssl_exempt_log(213): sent LOG_DATA_SSLACTION

 

Hope this answers your question.

 

HoMing

I've been messing with 5.4 and 5.6, 5.4 doesnt seem to have all the commands you mentioned. 5.6 does have something close, Is the syntax different in 5.4?

hmtay_FTNT

In 5.4, try "diagnose debug application wad -1", "diagnose debug enable".

 

The commands I have given you so far are for proxy-mode inspection. 

 

If you are using flow-mode inspection for a particular policy, you can identify if deep-inspection is used based on the flags when you enable "diagnose ips debug enable ssl". You might want to enable other debug logs along with ssl to get more information about the lines. Go to "diagnose ips debug enable ?" to find out what other options you have.

 

Certificate-inspection:

[26650/0]create_run_mode: SSL CA name: Fortinet_CA_SSL, untrust CA name: Fortinet_CA_Untrusted, VDOM: 0, enable: 0, mode: 1, verifyca: 1, invalid_cert_action: 2, untrust_ca_action: 4, whitelist: 0

 

Deep-inspection: [26650/0]create_run_mode: SSL CA name: Fortinet_CA_SSL, untrust CA name: Fortinet_CA_Untrusted, VDOM: 0, enable: 1, mode: 2, verifyca: 1, invalid_cert_action: 2, untrust_ca_action: 4, whitelist: 0

 

Labels
Top Kudoed Authors