This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all subscriptions are up-to-date, no crazy configurations, all looks fine... Until client adds to his LAN some back-up device that works by gathering data from clients installed on PCs and then pushes updates from behind Fortigate to the Internet residing cloud storage.
The problem with it occurred on install of the backup box and its reason also was clear as vodka - the backup box uses POP3s protocol (POP3 encrypted with SSL using certificates) to communicate with cloud servers and when this communication is passing the Fortigate, the Fortigate intercepts it for SSL Deep inspection (man-in-the-middle) and presents to the cloud servers its own (i.e. Fortigate) SSL certificate, thus preventing the bakup box to use its own SSL certificate. The remote cloud servers, of course, refuse to accept it.
So, what’s the fuss? Just disable SSL inspection and that’s it, no ? According to the Fortinet yes, http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820 “ FortiGate Intercepts POP3S, SMTPS and IMAPS certificates “ . But the real life says no.
First, the document above lists commands that Fortigate 80C didn’t recognize, ok , no big deal. We tried to remove any protection profile from hosts in question, add protection profile with HTTPS inspection disabled - still nada .
In the end, as the client didn’t really need this feature at all, we just disabled SSL inspection for good, and it finally did the job.
The steps and output from the device are below.
FGT80C # get firewall ssl setting
caname : Fortinet_CA_SSLProxycert-cache-capacity : 100cert-cache-timeout : 10no-matching-cipher-action: bypassproxy-connect-timeout: 30session-cache-capacity: 500session-cache-timeout: 20ssl-dh-bits : 1024ssl-max-version : tls-1.0ssl-min-version : ssl-3.0ssl-send-empty-frags: enableGet the statistics/diagnostics info about SSL Proxy in Fortigate:
FGT80C # diagnose test application ssl 0
SSL Proxy Test Usage1: Dump Memory Usage2: Drop all connections3: Display PID4: Display connection stat5: Toggle AV Bypass mode6: Display memory statistics44: Display info per connection11: Display connection TTL list12: Clear the SSL certificate cache13: Clear the SSL session cache14: Display PKey file checksum15: Clear the SSL server name cache99: Restart proxySSL Proxy stats:FGT80C # diagnose test application ssl 4
Current connections (all proxies) = 12/8048Running time (HH:MM:SS:usec) = 57:21:06.569388Bytes sent = 499 (kb)Bytes received = 909 (kb)Error Count (alloc) = 0Error Count (accept) = 0Error Count (bind) = 0Error Count (connect) = 0Error Count (read) = 0Error Count (write) = 0Error Count (retry) = 0Error Count (poll) = 0Error Count (unhandled state) = 0Error Count (SSL handshake) = 0Error Count (SSL internal) = 0Last Error = 0IPC Connection Count = 1IPC Hand-off Count = 7838IPC Packet Sent Count = 0IPC Error Count (connect) = 0IPC Error Count (handoff) = 0IPC Error Count (send) = 0IPC Error Count (socketpair) = 0IPC Error Count (timeout) = 0Client cipher failure = 0Server cipher failure = 0SSL decryption failure = 0SSL internal error = 0SSL public key too big = 0Total Connections Proxied = 0Web request backlog drop = 0Web response backlog drop = 0AV Bypass is offDrop on backlog is onAccounting is offThis one is important, it shows connections under SSL inspectionHere 13.43.12.77 is remote cloud server (sanitized) and 192.168.10.150 is backup box in LAN.
FGT80C# diagnose test application ssl 44
Current https connections = 0Current imaps connections = 0proxy=pop3s id=8070 clt=45(r=0, w=0) srv=46(r=1, w=0) c:192.168.10.150:36905 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3541proxy=pop3s id=8069 clt=43(r=0, w=0) srv=44(r=1, w=0) c:192.168.10.150:56246 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3540proxy=pop3s id=8068 clt=41(r=0, w=0) srv=42(r=1, w=0) c:192.168.10.150:56245 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3401proxy=pop3s id=8067 clt=26(r=0, w=0) srv=27(r=1, w=0) c:192.168.10.150:36902 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3399proxy=pop3s id=8039 clt=24(r=0, w=0) srv=25(r=1, w=0) c:192.168.10.150:40980 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2625proxy=pop3s id=8032 clt=35(r=0, w=0) srv=36(r=1, w=0) c:192.168.10.150:39432 -> s:13.43.12.77995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2424proxy=pop3s id=8029 clt=28(r=0, w=0) srv=29(r=1, w=0) c:192.168.10.150:39429 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2415Current pop3s connections = 12Current smtps connections = 0Current ftps connections = 0- Disable SSL proxy for AV scanning :
FGT80C # diagnose test application ssl 5
SSL AV Bypass is now onFGT80C3909621311 # diagnose test application ssl 4
Current connections (all proxies) = 12/8048Running time (HH:MM:SS:usec) = 57:22:37.346514Bytes sent = 499 (kb)Bytes received = 909 (kb)Error Count (alloc) = 0Error Count (accept) = 0Error Count (bind) = 0Error Count (connect) = 0Error Count (read) = 0Error Count (write) = 0Error Count (retry) = 0Error Count (poll) = 0Error Count (unhandled state) = 0Error Count (SSL handshake) = 0Error Count (SSL internal) = 0Last Error = 0IPC Connection Count = 1IPC Hand-off Count = 7839IPC Packet Sent Count = 0IPC Error Count (connect) = 0IPC Error Count (handoff) = 0IPC Error Count (send) = 0IPC Error Count (socketpair) = 0IPC Error Count (timeout) = 0Client cipher failure = 0Server cipher failure = 0SSL decryption failure = 0SSL internal error = 0SSL public key too big = 0Total Connections Proxied = 0Web request backlog drop = 0Web response backlog drop = 0AV Bypass is onDrop on backlog is onAccounting is off- Making sure it worked:
FGT80C3909621311 # diagnose test application ssl 44
Current https connections = 0Current imaps connections = 0Current pop3s connections = 0Current smtps connections = 0Current ftps connections = 0Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
