Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Created on ‎02-15-2018 08:17 AM

Application control detects encrypted traffic

Hi experts,

 

How can Application Control detect applications over encrypted traffic? I am using Application Control and works fine, I can block youtube videos, facebook and so on, over HTTPS, so the traffic is encrypted. But I am not enabling deep inspection and it can detects applications anyway. How can Application Control do this without enabling deep inspection?

 

Regards,

Julián

10073
0 Kudos
2 Solutions
jacob_shaw
New Contributor II
In response to fjulianom

Created on ‎02-28-2018 10:37 AM

Additionally, Application Control probably looks at the Server Name Indication (SNI) header at the start of the TLS handshake process and tags that TLS stream accordingly. The SNI (usually the domain name of the server. eg. "www.google.com") is normally passed unencrypted during the initial handshake process. You can see this in Wireshark. Look under "Extension: server_name" in a Client Hello packet.

View solution in original post

5744
0 Kudos
kurtli_FTNT
Staff
Staff
In response to fjulianom

Created on ‎04-02-2018 01:45 PM

Hi Julián,

    As previous posts have pointed out, not all data in a SSL session are encrypted. The SSL handshake messages are plaintext and readable. The SNI extension in "Client Hello" msg tells where the traffic goes to, thus it can be used by APPCtl to do the basic checking. The 'deep-inspection' offers more. If you want to see the content of pages and check them more subtly, then you have to use it.

 

 

Regards

View solution in original post

5744
0 Kudos
6 REPLIES 6
fjulianom
New Contributor III

Created on ‎02-19-2018 05:55 AM

Hi guys,

 

Any idea? The question is short, how can FortiGate recognise application patterns within the traffic when this is encrypted? Deep inspection is not being used.

 

Regards,

Julián

5693
0 Kudos
dieter
New Contributor
In response to fjulianom

Created on ‎02-22-2018 07:37 AM

URL's and ip-ranges already reveal a lot, I guess.

Maybe packet headers also contain very specific things.

5693
0 Kudos
fjulianom
New Contributor III
In response to dieter

Created on ‎02-22-2018 08:23 AM

Hi dieter,

 

It could be, but Application control doesn't work with URL's as Web filtering does. According to NSE4, it matches patterns in the entire byte stream of the packet, and then looks for patterns, and not only works with the packet headers.

 

Regards,

Julián

5693
0 Kudos
jacob_shaw
New Contributor II
In response to fjulianom

Created on ‎02-28-2018 10:37 AM

Additionally, Application Control probably looks at the Server Name Indication (SNI) header at the start of the TLS handshake process and tags that TLS stream accordingly. The SNI (usually the domain name of the server. eg. "www.google.com") is normally passed unencrypted during the initial handshake process. You can see this in Wireshark. Look under "Extension: server_name" in a Client Hello packet.

5745
0 Kudos
fjulianom
New Contributor III
In response to jacob_shaw

Created on ‎02-28-2018 10:43 AM

Hi Jacob,

 

Then you mean that Application Control looks at the SNI and according to that SNI category it blocks or allows the traffic?

 

Regards,

Julián

5693
0 Kudos
kurtli_FTNT
Staff
Staff
In response to fjulianom

Created on ‎04-02-2018 01:45 PM

Hi Julián,

    As previous posts have pointed out, not all data in a SSL session are encrypted. The SSL handshake messages are plaintext and readable. The SNI extension in "Client Hello" msg tells where the traffic goes to, thus it can be used by APPCtl to do the basic checking. The 'deep-inspection' offers more. If you want to see the content of pages and check them more subtly, then you have to use it.

 

 

Regards

5745
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.