Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ydaew
New Contributor III

SSL Decription

Hello, 

I'm using FortiGate to decrypt web server traffic, how to know if the traffic is really decrypted from the FortiGate log itself ?

1 Solution
emnoc
Esteemed Contributor III

You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM  forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following 

 

http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html

 

The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.

 

e.g ( to see all cert listed for example.com ) 

 

https://crt.sh/?q=%25.example.com

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
1 REPLY 1
emnoc
Esteemed Contributor III

You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM  forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following 

 

http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html

 

The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.

 

e.g ( to see all cert listed for example.com ) 

 

https://crt.sh/?q=%25.example.com

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors