Hi Have a fortigate 81F at home to control the internet for kids, please advise how do i get certificates or do a deep SSL for my home network as i dont have a AD directory etc, i just need to have full visibility and proper blocking for my kids intenet, can you share some links to do that
Thanks for the video. I do feel like the audio was better in this video :) Question about the cert that the fortigate uses for SSL inspection: I also have a fortiwifi at home (60e). Are there any security concerns regarding just manually installing the cert that the firewall comes with on the various machines I have at home and using that cert for the SSL inspection policy?
For home, that would be fine for PCs, other devices like ipads, and iphones - I don't think you can get around the cert warning. Each device on your home network would need to install and trust it.
Safari on macOS and iOS can both work under SSL Inspection. Easiest way for iOS is to save the certificate in something like iCloud and open it on your mobile device manually. It will ask you if you want to install the cert and trust it. For corporate networks you would push a .mobileconfig file via a MDM suite.
Do you have contact info somewhere because I'd like to try to setup our FGT30E to "terminate" an incoming TLS request and then port forward that to another server on our intranet ? If that is possible, it would an easier solution that having the target server implement TLS itself. A reference to a consultant would suffice also. The application is for a DICOM protocol request coming from a server that would have a certificate itself that is configurable, and there are AETs (Application Entity Titles) that are part of that that can be checked on the target server. It can get a little complicated, which is why I would like to be put in touch with a consultant who I would be willing to pay a fee to if we can get it setup in the best way possible. The alternative are the native TLS for the target server, or using something like Citrix, Stunnel, NGINX, etc. The intranet is pretty secure, especially if the Fortigate would just forward the request directly to the target server over a wire, which is the way it is setup.
Hi Mike...I am trying to mirror SSL traffic by defining Decrypted Traffic Mirror in the policy. The mirrored traffic when opened in Wireshark shows a lot of "Spurious TCP retransmissions", "Out of orders" and "Dup ACKs". Also, since the mirrored traffic is decrypted, I expect to see HTTP header and the trailing clear-text data but I only see "TCP payload" or "Encrypted data" (in Wireshark). Any idea why this is happening? I tried changing the mirror direction to "Both" and "Client", the issue persisted. On the other hand, I don't see any 'bad' packets in Wireshark if I mirror the traffic using SPAN (software switch). Tried looking up online but there isn't any discussion about mirrored traffic using SSL decryption other than 'how it's configured'. Would appreciate your insight.
Even if the internal computers trust the certificate installed on the fortigate, I still experience a lot of issues where deep inspection will not work with certain secured sites. Can you comment on this? I think it may have to do with the fact that these sites send back their cert to the browser behind the firewall (may be called pinning?), so it knows traffic has been intercepted (because the ‘true’ cert is different from the one installed on the fortigate). I really would appreciate some more expert info on these issues, case I’m struggling with it. Thanks for all the excellent info!
This is very true. Some applications just don't work well. In cases like these you have to have an exception to the SSL policy so you can let those particular applications or sites circumvent the decryption.
Bavo Bostoen there are several cases where intercepting secured traffic will cause the connection to fail, as the client will drop the connection when: - Certificate pinning is applied (either via DNS or preloaded/hardcoded in app/browser). Because of the pinning, the app knows what cert to expect but gets a different one (the FortiGate) hence it will drop the connection. - Cipher suites returned back by intercepting device towards clients which isn’t supported by client. Common one is RC4 which is blocked in a lot of SSL-capable applications. - FortiGate returns a different interception certificate than you’d think when the FortiGate is the one dropping the connection (for example, if the end-server has an expired certificate or a very weak key size). - An application doesn’t inherit Windows’ Trust Store (such as Firefox or Java) so the MiTM CA isn’t trusted as you might expect it to, which causes the trust validation to fail hence the connection is dropped.
Are there any log messages or debug commands, sniffer, flow, or otherwise, that will show when the cause of an issue is SSL DPI and what URL/IP needs to be exempted to resolve the issue? We often have end customers who report issues with certain website or services and tracking down what to exempt from SSL DPI once policies and web filtering are ruled out is a nightmare.
Hello, I would like to thank you for knowledge sharing and your video. it is great. one question on the ssl cet. If I used my certificate that I bought from digicert; do I have to install anything of the clients devices ?
Not sure how the browser won't complaint about the fortigate's certificate when you browse to a secure site. If the certifcate was done for host myfw.mydomain.com and you're trying to access you bank account at www.mybank.com, browser should be smart enoought to raised an alert that the certificate name doesn't match the url/site you're trying to access. Do you mind clarifying this part?
In an internal PKI like Microsoft AD CS, have the root CA or a subordinate CA sign a cert for the fortigate as another subordinate CA. Then the fortigate will on the fly make a cert (such as "*.reddit.com" or in your example *.mybank.com) to match the hostname of the website visited. If the end system is part of your PKI, it trusts this cert, that matches the https request. Like Bavo below suggests, certain things can still break, and bypassing or whitelisting these sites avoids this.
@ Rik: thanks for the useful info regarding AD CS (gosh I need to start archiving these comments). I find the SSL whitelisting to be a lot of work, it seems more and more sites are finding ways around it, especially the bigger cloud providers. And the value of the inspection diminishes because of it. Unless I’m missing something. Do you agree?
I think for a lot of sites, it just might not make sense or be worth the hassle, in which case, it's useful to take advantage of the categories option that the Fortigate offers for whitelisting (like Banking). I'm curious how well the "Reputable Websites" option works in terms of saving yourself a lot of hassle from having to whitelist a ton of sites
Fortinet Guru We are just getting started with it but without it there really is no way to expect that you are catching malware and viruses since you can’t see any of it. With the use of common policy packages we hope to be able to take advantage of fortimanager to keep it all current and synced.
Audio has been fine all along...
Could you please explain how to check the ciphers enabled on SSLVPN settings...using CLI
Hi Have a fortigate 81F at home to control the internet for kids, please advise how do i get certificates or do a deep SSL for my home network as i dont have a AD directory etc, i just need to have full visibility and proper blocking for my kids intenet, can you share some links to do that
Thanks for the video. I do feel like the audio was better in this video :)
Question about the cert that the fortigate uses for SSL inspection: I also have a fortiwifi at home (60e). Are there any security concerns regarding just manually installing the cert that the firewall comes with on the various machines I have at home and using that cert for the SSL inspection policy?
For home, that would be fine for PCs, other devices like ipads, and iphones - I don't think you can get around the cert warning. Each device on your home network would need to install and trust it.
Thanks. Yeah, I think I'll just need to create various firewall policies to tackle each type of device (mobile devices, PCs, IoT devices).
You can avoid cert warnings on iphones if you surf with chrome. Safari is no bueno though.
Safari on macOS and iOS can both work under SSL Inspection. Easiest way for iOS is to save the certificate in something like iCloud and open it on your mobile device manually. It will ask you if you want to install the cert and trust it. For corporate networks you would push a .mobileconfig file via a MDM suite.
Do you have contact info somewhere because I'd like to try to setup our FGT30E to "terminate" an incoming TLS request and then port forward that to another server on our intranet ?
If that is possible, it would an easier solution that having the target server implement TLS itself. A reference to a consultant would suffice also. The application is for a DICOM protocol request coming from a server that would have a certificate itself that is configurable, and there are AETs (Application Entity Titles) that are part of that that can be checked on the target server. It can get a little complicated, which is why I would like to be put in touch with a consultant who I would be willing to pay a fee to if we can get it setup in the best way possible. The alternative are the native TLS for the target server, or using something like Citrix, Stunnel, NGINX, etc.
The intranet is pretty secure, especially if the Fortigate would just forward the request directly to the target server over a wire, which is the way it is setup.
Good explanation, Have just setup the exact same solution.
Hi Mike...I am trying to mirror SSL traffic by defining Decrypted Traffic Mirror in the policy. The mirrored traffic when opened in Wireshark shows a lot of "Spurious TCP retransmissions", "Out of orders" and "Dup ACKs". Also, since the mirrored traffic is decrypted, I expect to see HTTP header and the trailing clear-text data but I only see "TCP payload" or "Encrypted data" (in Wireshark). Any idea why this is happening? I tried changing the mirror direction to "Both" and "Client", the issue persisted.
On the other hand, I don't see any 'bad' packets in Wireshark if I mirror the traffic using SPAN (software switch). Tried looking up online but there isn't any discussion about mirrored traffic using SSL decryption other than 'how it's configured'. Would appreciate your insight.
How can I check the SSL/TLS Encryption on Fortigate/Fortinet?
There was a vulnerability reported for a vpn site
You would execute it on the firewall via the policy and SSL Inspection profile assigned to it.
Even if the internal computers trust the certificate installed on the fortigate, I still experience a lot of issues where deep inspection will not work with certain secured sites. Can you comment on this? I think it may have to do with the fact that these sites send back their cert to the browser behind the firewall (may be called pinning?), so it knows traffic has been intercepted (because the ‘true’ cert is different from the one installed on the fortigate). I really would appreciate some more expert info on these issues, case I’m struggling with it. Thanks for all the excellent info!
This is very true. Some applications just don't work well. In cases like these you have to have an exception to the SSL policy so you can let those particular applications or sites circumvent the decryption.
Bavo Bostoen there are several cases where intercepting secured traffic will cause the connection to fail, as the client will drop the connection when:
- Certificate pinning is applied (either via DNS or preloaded/hardcoded in app/browser). Because of the pinning, the app knows what cert to expect but gets a different one (the FortiGate) hence it will drop the connection.
- Cipher suites returned back by intercepting device towards clients which isn’t supported by client. Common one is RC4 which is blocked in a lot of SSL-capable applications.
- FortiGate returns a different interception certificate than you’d think when the FortiGate is the one dropping the connection (for example, if the end-server has an expired certificate or a very weak key size).
- An application doesn’t inherit Windows’ Trust Store (such as Firefox or Java) so the MiTM CA isn’t trusted as you might expect it to, which causes the trust validation to fail hence the connection is dropped.
Are there any log messages or debug commands, sniffer, flow, or otherwise, that will show when the cause of an issue is SSL DPI and what URL/IP needs to be exempted to resolve the issue? We often have end customers who report issues with certain website or services and tracking down what to exempt from SSL DPI once policies and web filtering are ruled out is a nightmare.
Hello, I would like to thank you for knowledge sharing and your video. it is great. one question on the ssl cet.
If I used my certificate that I bought from digicert; do I have to install anything of the clients devices ?
this is gold thanks Mike btw the audio is just fine :)
Sir im new to this, does fortinet firewall can block downloads to the end users like .exe file or etc
Yes its called a file filter video on my channel.
@@FortiBytes thank you sir
Not sure how the browser won't complaint about the fortigate's certificate when you browse to a secure site. If the certifcate was done for host myfw.mydomain.com and you're trying to access you bank account at www.mybank.com, browser should be smart enoought to raised an alert that the certificate name doesn't match the url/site you're trying to access. Do you mind clarifying this part?
In an internal PKI like Microsoft AD CS, have the root CA or a subordinate CA sign a cert for the fortigate as another subordinate CA. Then the fortigate will on the fly make a cert (such as "*.reddit.com" or in your example *.mybank.com) to match the hostname of the website visited. If the end system is part of your PKI, it trusts this cert, that matches the https request. Like Bavo below suggests, certain things can still break, and bypassing or whitelisting these sites avoids this.
@ Rik: thanks for the useful info regarding AD CS (gosh I need to start archiving these comments). I find the SSL whitelisting to be a lot of work, it seems more and more sites are finding ways around it, especially the bigger cloud providers. And the value of the inspection diminishes because of it. Unless I’m missing something. Do you agree?
I think for a lot of sites, it just might not make sense or be worth the hassle, in which case, it's useful to take advantage of the categories option that the Fortigate offers for whitelisting (like Banking). I'm curious how well the "Reputable Websites" option works in terms of saving yourself a lot of hassle from having to whitelist a ton of sites
It is a lot of work. The visibility is crucial for organizations though.
Fortinet Guru
We are just getting started with it but without it there really is no way to expect that you are catching malware and viruses since you can’t see any of it. With the use of common policy packages we hope to be able to take advantage of fortimanager to keep it all current and synced.