diag debug enable diag debug console timestamp enable diag debug flow show console enable diag debug flow show function-name enable diag debug flow filter addr 10.9.193.232 diag debug flow filter port 443 diag debug flow trace start 50Then try from 10.9.193.232. To stop and clear:
diag debug disable diag debug flow filter clear diag debug resetAlso try this:
diag debug enable diag debug console timestamp enable diag debug app ssl -1To stop and reset:
diag debug disable diag debug resetYou may want to log printable output to a file by using puTTy. You might be seeing TCP RST because of your browser.
2013-06-14 15:12:06 69:ssl srv port close recv 2013-06-14 15:12:06 69:shouldReset, type 1 2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] Event - RESET_EVENT 2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] RESET_STATE 2013-06-14 15:12:06 [65]-[69] ips closed 2013-06-14 15:12:06 ipsapp ses 69 close 2013-06-14 15:12:06 ipsapp ses 69 send end msg 145 len 0 dir 0 2013-06-14 15:12:06 69:checkConnectionEvent 2013-06-14 15:12:06 69:resetConn 2013-06-14 15:12:06 69:proxy_ssl_port_exit 2013-06-14 15:12:06 69:proxy_ssl_port_close ... 2013-06-14 15:12:09 70:checkConnectionEvent 2013-06-14 15:12:09 check fd 12 2013-06-14 15:12:09 clear client read 2013-06-14 15:12:09 set client write 2013-06-14 15:12:09 check fd 13 2013-06-14 15:12:09 set server read 2013-06-14 15:12:09 set server write 2013-06-14 15:12:09 70:sslStateCheck 2013-06-14 15:12:09 reset event 2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] Event - RESET_EVENT 2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] RESET_STATE 2013-06-14 15:12:09 [65]-[70] ips closed 2013-06-14 15:12:09 ipsapp ses 70 close 2013-06-14 15:12:09 ipsapp ses 70 send end msg 147 len 0 dir 0 2013-06-14 15:12:09 70:resetConn 2013-06-14 15:12:09 70:proxy_ssl_port_exit 2013-06-14 15:12:09 70:proxy_ssl_port_close..seem interesting. Looks like your client is sending a RST. Sounds like a certificate error? What configuration method did you use? Did you install both the private key of the cert and the public cert to make the Fortigate a subordinate CA? " CA:TRUE" is listed in Certificate Details? [this was done by either using `openssl ca -extensions v3_ca` or by requesting a " subordinate CA" cert from a MSFT Windows CA] Sorry to review the trivialities.
curl --insecure https://google.comThat' s interesting, seeing:
<HTML><HEAD><meta http-equiv=" content-type" content=" text/html;charset=utf-8" > <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF=" https://www.google.com/" >here</A>. </BODY></HTML>What happens if: 1) you create a URL Filter and exempt google.com? 2) you disable " Block HTTP Redirects by Rating" ? (I know this won' t do anything) 3) you access another 301 redirected page? 4) Try to review the logs to see if web filter or app control are dropping the packets... what about other layers in your packet flow beyond the ssl mitm proxy and the firewall policies? 5) If this was working before, but now is not, you can also try to restart the ssl daemon:
diag test app ssl 99
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.