Skip to content


Disabling SSL Deep inspection proxy in Fortigate should be easier

This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all  subscriptions are up-to-date, no crazy configurations, life is beautiful… Until client adds to his LAN some back-up device that works by gathering data from clients installed on PCs and then pushes updates from behind Fortigate to the Internet residing cloud storage.

The problem with it occurred on install of the backup box and its reason also was clear as vodka – the backup box uses POP3s protocol (POP3 encrypted with SSL using certificates) to communicate with cloud servers and when this communication is passing the Fortigate, the Fortigate intercepts it for SSL Deep inspection (man-in-the-middle) and presents to the cloud servers its own (i.e. Fortigate) SSL certificate, thus preventing the bakup box to use its own SSL certificate.  The remote cloud servers, of course, refuse to accept it.

So, what’s the fuss? Just disable SSL inspection and that’s it, no ? According to the Fortinet yes, http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820   “ FortiGate Intercepts POP3S, SMTPS and IMAPS certificates “ . But the real life says no.

First, the document above lists commands that Fortigate 80C didn’t recognize, ok , no big deal. We tried to remove any protection profile from hosts in question, add protection profile with HTTPS inspection disabled – still nada .

In the end, as the client didn’t really need this feature at all, we just disabled SSL inspection for good, and it finally did the job.

The steps and output from the device are below.

FGT80C # get firewall ssl setting

caname : Fortinet_CA_SSLProxy
cert-cache-capacity : 100
cert-cache-timeout : 10
no-matching-cipher-action: bypass
proxy-connect-timeout: 30
session-cache-capacity: 500
session-cache-timeout: 20
ssl-dh-bits : 1024
ssl-max-version : tls-1.0
ssl-min-version : ssl-3.0
ssl-send-empty-frags: enable

Get the statistics/diagnostics info about SSL Proxy in Fortigate:

FGT80C # diagnose test application ssl 0

SSL Proxy Test Usage
1: Dump Memory Usage
2: Drop all connections
3: Display PID
4: Display connection stat
5: Toggle AV Bypass mode
6: Display memory statistics
44: Display info per connection
11: Display connection TTL list
12: Clear the SSL certificate cache
13: Clear the SSL session cache
14: Display PKey file checksum
15: Clear the SSL server name cache
99: Restart proxy
SSL Proxy stats:

FGT80C # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:21:06.569388
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7838
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is off
Drop on backlog is on
Accounting is off

This one is important, it shows connections under SSL inspection
Here 13.43.12.77 is remote cloud server (sanitized) and 192.168.10.150 is backup box in LAN.

FGT80C# diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
proxy=pop3s id=8070 clt=45(r=0, w=0) srv=46(r=1, w=0) c:192.168.10.150:36905 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3541

proxy=pop3s id=8069 clt=43(r=0, w=0) srv=44(r=1, w=0) c:192.168.10.150:56246 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3540

proxy=pop3s id=8068 clt=41(r=0, w=0) srv=42(r=1, w=0) c:192.168.10.150:56245 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3401

proxy=pop3s id=8067 clt=26(r=0, w=0) srv=27(r=1, w=0) c:192.168.10.150:36902 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3399

proxy=pop3s id=8039 clt=24(r=0, w=0) srv=25(r=1, w=0) c:192.168.10.150:40980 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2625

proxy=pop3s id=8032 clt=35(r=0, w=0) srv=36(r=1, w=0) c:192.168.10.150:39432 -> s:13.43.12.77995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2424

proxy=pop3s id=8029 clt=28(r=0, w=0) srv=29(r=1, w=0) c:192.168.10.150:39429 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2415

Current pop3s connections = 12
Current smtps connections = 0
Current ftps connections = 0
- Disable SSL proxy for AV scanning :

FGT80C # diagnose test application ssl 5

SSL AV Bypass is now on

FGT80C3909621311 # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:22:37.346514
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7839
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is on
Drop on backlog is on
Accounting is off

- Making sure it worked:

FGT80C3909621311 # diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
Current pop3s connections = 0
Current smtps connections = 0
Current ftps connections = 0

Posted in Fortigate, Uncategorized.

Tagged with .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. nabeards says

    The commands on the page you linked to are for FortiOS 5.0. The commands you provide in this entry work in FortiOS 4.0, but need to manually rerun any time the router is rebooted. But, of course, YMMV.

  2. Shawn says

    Disabling SSL inspection is very risky. Many attacks leverage TCP/443 ACLs to create reverse tunnels.

    Ideally, in this customer’s situation, you’d simply create a policy to allow the backup device to communicate with the cloud servers and not enable SSL inspection on that single rule, leaving SSL inspection enabled on all other traffic.