SSL inspection on Fortigate is a mechanism that can be used to protect and inspect the content of encrypted sessions, find and block threats.
SSL inspection not only protects against attacks using HTTPS, but also against other commonly used encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.
A full SSL inspection (Deep Inspection) should be used to ensure that all encrypted content is inspected.
When SSL inspection is used, Fortigate acts as the receiver of the source SSL session and decrypts and inspects its content, Then the content is encrypted again, a new SSL session is established between Fortigate and the receiver by impersonating the sender, and the content is freed from threats.
It is possible to "Mirror" or send a copy of the traffic Decrypted by SSL inspection to one or more Fortigate interfaces so that the traffic can be collected by the Raw Packet Capture tool for archiving or analysis.
Mirroring occurs after it is processed by the SSL Decoder and at the same point in the workflow as the application data is decrypted (Decryption ). Decrypted application data is wrapped in a TCP packet (with IP and Ethernet Headers) and then sent to the Mirror port.
This feature works when Inspection Mode is set to Flow-Based, but not for Explicit Proxy.
Note: Using Decryption, Storage, Inspection and Decrypted Content is subject to local privacy rules. Using these features may allow malicious users (Malicious Users) access to your Fortigate to collect sensitive information sent using an encrypted channel (Encrypted Channel).
In this example, it sends all traffic encrypted by the Policy to the Fortigate port1 and port2 interfaces.
config firewall
policy
edit 99
set ssl-mirror enable
set ssl-mirror-intf port1 port2
end
edit 99
set ssl-mirror enable
set ssl-mirror-intf port1 port2
end
Flow Mode inspection Profile Definition
config antivirus profile
config antivirus profile
edit IPS-FLOW
set inspection-mode flow-based
end
set inspection-mode flow-based
end
Including traffic in a rule to pass it through the IPS Engine and configuring SSL mirror
config firewall policy
edit 20
set name "DMZ_svr01"
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "vip01"
set action accept
set schedule "always"
set service "HTTPS" "HTTP"
set utm-status enable
set ssl-mirror enable
set ssl-mirror-intf "port4"
set av-profile "IPS-FLOW"
set profile-protocol-options "default"
set ssl-ssh-profile "server-ssl-inspection"
next
end
config firewall policy
edit 20
set name "DMZ_svr01"
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "vip01"
set action accept
set schedule "always"
set service "HTTPS" "HTTP"
set utm-status enable
set ssl-mirror enable
set ssl-mirror-intf "port4"
set av-profile "IPS-FLOW"
set profile-protocol-options "default"
set ssl-ssh-profile "server-ssl-inspection"
next
end
In the example, Mirroring only works for SSL traffic. HTTP traffic (managed by the same policy) is not sent to Mirror. On the other hand, Mirroring traffic will not be one of the TCP session, it will only contain data packets (data frames). This way you can get clear traffic visibility using an external Probe or analyzer as well as your own device.
For Diagnostic and Sniffer
diagnose sniffer packet port4 "" 6
diagnose sniffer packet port4 "" 6
Yorumlar
Yorum Gönder