Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Virtual Server Report
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Virtual Server Report
Currently running FortiOS 7.2.11 and we're exposing a web server behind a Virtual Server configured for SSL offloading. Our security team is asking us to set the minimum protocol to TLS 1.2, but we've been asked to make sure no legacy clients are still using TLS 1.1.
I checked the forwarding logs and am not seeing protocol or ciphers, is there a way to see this in the logs or to pull this from FortiAnalyzer?
Denny
Labels:
- Labels:
-
FortiAnalyzer
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your SSL inspection profile, try enable some of the below:
ssl-anomaly-log Enable/disable logging of SSL anomalies.
ssl-negotiation-log Enable/disable logging SSL negotiation.
ssl-server-cert-log Enable/disable logging of server certificate information.
ssl-handshake-log Enable/disable logging of TLS handshakes.
You should then be able to see the related logs in FortiGate > Logs > SSL inspection logs, and in FAZ as well
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I sure was hopeful this was going to work. I cloned the "certificate-inspection" policy and added the logging commands to the clone. I then applied the cloned policy to the firewall policy permitting traffic from the Internet to the Virtual Server that is configured for full ssl offloading. Unfortunately, nothing is showing in the logs.
Armed with the new knowledge above, I asked ChatGPT to help, and it responded that with a VIP configuration, Deep Inspection would need to be setup to get the logging data I was after. Since this is traffic from the Internet, I don't think Deep Inspection will be an option here.
Perhaps I missed a setting to enable this? I will add this new cloned policy to an Outbound firewall policy to see if something logs when not using a Virtual Server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are setting up a VIP to protect an server accessed from internet, in case you don't have a dedicated WAF then the recommended configuration is to enable deep inspection with SSL offloading on VS in order to scan the traffic after being decrypted.
Also use proxy based inspection in the firewall policy and add IPS and WAF profiles.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While this sounds like a solid security recommendation, would this solve my current need of identifying the negotiated TLS version in the logs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably, since with certificate inspection the negotiation is with the back-end server, while in deep inspection the negotiation is with FortiGate.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, this logs nothing. Here is the configuration, perhaps I missed something? I didn't enable WAF or IPS yet, but those don't seem relevant to the current issue at the moment.
VIP setup
config firewall vip
edit "mydomainname-vip"
set type server-load-balance
set extip x.x.x.35
set extintf "any"
set server-type https
set http-ip-header enable
set persistence http-cookie
set extport 443
config realservers
edit 1
set ip x.x.x.51
set port 443
next
end
set ssl-mode full
set ssl-certificate "mydomain_cert"
next
end
SSL Inspection Policy
config firewall ssl-ssh-profile
edit "deep-inspection-logging"
set comment "Deep inspection profile."
config https
set ports 443
set status deep-inspection
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
config ssl-exempt
edit 1
set type wildcard-fqdn
set wildcard-fqdn "adobe"
next
edit 2
set type wildcard-fqdn
set wildcard-fqdn "Adobe Login"
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "android"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "apple"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "appstore"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "auth.gfx.ms"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "autoupdate.opera.com"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "citrix"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "dropbox.com"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "eease"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "firefox update server"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "fortinet"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "google-drive"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "google-play"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "google-play2"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "google-play3"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "googleapis.com"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "live.com"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "microsoft"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "skype"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "softwareupdate.vmware.com"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "swscan.apple.com"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "update.microsoft.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "verisign"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "Windows update 2"
next
end
set server-cert-mode replace
set server-cert "mydomain_cert"
set ssl-negotiation-log enable
set ssl-server-cert-log enable
set ssl-handshake-log enable
next
end
config firewall policy
edit 1234
set name "internet-to-webserver"
set srcintf "WAN"
set dstintf "DMZ"
set action accept
set srcaddr "all"
set dstaddr "mydomainname-vip"
set schedule "always"
set service "HTTPS"
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection-logging"
set logtraffic all
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the SSL inspection profile, can you try with "Protecting SSL Server" instead of "Multiple Clients Connecting to Multiple Servers"?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is currently setup this way now. We went ahead and set the minimum TLS to 1.2 and are monitoring the application closely.
Labels
-
FortiGate
10,597 -
FortiClient
2,159 -
FortiManager
890 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
584 -
FortiClient EMS
564 -
FortiAP
559 -
IPsec
420 -
6.0
416 -
SSL-VPN
376 -
FortiMail
372 -
5.6
362 -
FortiNAC
283 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
193 -
FortiAuthenticator
173 -
FortiGuard
160 -
5.0
152 -
Firewall policy
144 -
FortiGate-VM
133 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
FortiEDR
69 -
FortiADC
68 -
BGP
68 -
Authentication
66 -
Certificate
65 -
RADIUS
61 -
LDAP
60 -
fortilink
55 -
SSO
54 -
FortiSandbox
53 -
NAT
53 -
FortiExtender
51 -
4.0MR3
49 -
vdom
47 -
Application control
45 -
FortiDNS
43 -
Interface
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2593 | |
| 1382 | |
| 800 | |
| 659 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.