Problem using Application Control in FortiProxy 7.2.4

Sarandis · ‎09-12-2023

Hello,

I'm trying to use Application Control in a FortiProxy 7.2.4 instance but without any success.
This is set up as an Explicit Proxy which forwards all requests to an upstream proxy.
I have a policy with deep inspection enabled but the application control set on this policy, has no effect.
The application control logs are empty and the logs on the syslog server are showing all urls either unscanned or unknown:

Sep 12 15:57:15 10.1.1.1 date=2023-09-12 time=15:55:38 devname="FPXVMxxxx" devid="FPXVMxxxx"
eventtime=1694523338854017532 tz="+0300" logid="0010000099" type="traffic" subtype="http-transaction"
level="notice" vd="testvdom" srcip=10.2.1.1 dstip=10.3.1.1 clientip=10.2.1.1 scheme="https" srcport=55646
dstport=3128 hostname="www.facebook.com"
url="https://www.facebook.com" prefetch=0 policyid=1 sessionid=1202257994 transid=101109181 reqlength=1743
resplength=0 resptype="normal" statuscode="200" reqtime=1694523338 resptime=1694523338 respfinishtime=1694523338
duration=377 appcat="unscanned"

Sep 12 16:23:15 10.1.1.1 date=2023-09-12 time=16:21:38 devname="FPXVMxxxx" devid="FPXVMxxxx"
eventtime=1694524898399861396 tz="+0300" logid="0000000015" type="traffic" subtype="forward"
level="notice" vd="testvdom" srcip=10.2.1.1 srcport=37748 srcintf="port2" srcintfrole="lan" dstip=142.251.141.42
dstport=443 dstintf="port3" dstintfrole="lan" srccountry="Greece" dstcountry="Bulgaria" sessionid=1202258061
proto=6 action="start" policyid=1 policytype="policy" poluuid="957f632c-fa08-51ed-f3fc-40ae6af42b45"
policyname="testAllPolicy" service="HTTPS" trandisp="noop" url="https://safebrowsing.googleapis.com/"
agent="Firefox/117.0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

The settings of the policy are shown below:
set type explicit-web
set status enable
set name "testAllPolicy"
set uuid 957f632c-fa08-51ed-f3fc-40ae6af42b45
set dstintf "port3"
set srcaddr "test-src_ip"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set transparent disable
set ztna-tags-match-logic or
set internet-service disable
set pass-through disable
set utm-status enable
set webproxy-profile "testWebProxyProfile"
set logtraffic all
set logtraffic-start enable
set log-http-transaction enable
set webcache disable
set webcache-https disable
set http-tunnel-auth disable
set ssh-policy-check disable
set webproxy-forward-server "upstream-proxy"
set disclaimer disable
set comments ''
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set decrypted-traffic-mirror ''
set max-session-per-user 0
set profile-type single
set profile-protocol-options "HTTP-ProxyOptions"
set ssl-ssh-profile "test-deep-inspection"
set av-profile "test-Antivirus"
set ia-profile "test-ReplaceImages"
set webfilter-profile "test-URLFiltering"
set dlp-sensor ''
set file-filter-profile ''
set ips-sensor "test-IPS"
set application-list "test-block_all"
set icap-profile ''
set videofilter-profile "testYoutube"
set isolator-profile ''
set ssh-filter-profile ''

The settings of the SSL/SSH profile are shown below:
edit "test-deep-inspection"
set comment "Read-only deep inspection profile."
config ssl
set client-certificate bypass
set unsupported-ssl-version block
set unsupported-ssl-cipher allow
set unsupported-ssl-negotiation allow
end
config https
set ports 443
set status deep-inspection
set proxy-after-tcp-handshake disable
set client-certificate bypass
set unsupported-ssl-version block
set unsupported-ssl-cipher allow
set unsupported-ssl-negotiation allow
set expired-server-cert block
set revoked-server-cert block
set untrusted-server-cert allow
set cert-validation-timeout block
set cert-validation-failure block
set sni-server-cert-check enable
set min-allowed-ssl-version tls-1.1
end

Any help will be very much appreciated!

Kind regards
Sarandis

xshkurti · ‎09-14-2023

@Sarandis
What is your test configuration for below profiles:
set profile-protocol-options "HTTP-ProxyOptions"
set ssl-ssh-profile "test-deep-inspection"
set av-profile "test-Antivirus"
set ia-profile "test-ReplaceImages"
set webfilter-profile "test-URLFiltering"
set dlp-sensor ''
set file-filter-profile ''
set ips-sensor "test-IPS"
set application-list "test-block_all"

If you find that there is much information shared in this post, you may try to open a ticket with our TAC Support.

Sarandis · ‎09-18-2023

Hello,

Thanks for your answer, you can find below the configuration items you asked. They are obfuscated and some irrelevant entries have been truncated.

config firewall profile-protocol-options
edit "default"
set comment "All default services."
config http
set ports 80
unset options
unset post-lang
end

edit "test-deep-inspection"
set comment "Read-only deep inspection profile."
config https
set ports 443
set status deep-inspection
set cert-validation-timeout block
end
set caname "CA_Test"
next
end

config antivirus profile
edit "test-Antivirus"
config http
set av-scan block
set outbreak-prevention block
end
next
end

edit "test-ReplaceImages"
set alcohol-block-strictness-level 89
set drugs-block-strictness-level 88
set **bleep**-block-strictness-level 89
set weapons-block-strictness-level 92
set replace-image "tziz"
next

config webfilter profile
edit "test-URLFiltering"
config override
set ovrd-dur 5m
set ovrd-user-group "test-sapap-group"
set profile "YouTube-Profile"
end
config web
set bword-table 1
set safe-search header
set youtube-restrict strict
end
config ftgd-wf
unset options
config filters
edit 1
set category 1
next
edit 3
set category 3
next
edit 4
set category 4
set action block
...
end
end
set log-all-url enable
next

config ips sensor
edit "test-IPS"
set block-malicious-url enable
set scan-botnet-connections block
next
end

edit "test-block_all"
set other-application-log enable
set unknown-application-log enable
config entries
edit 1
set application 15832 23813 17735 15722 38517 24318 29210 38468 40934 40935 40933 39381 43448 22922 23260 35523 17399
next
...
set control-default-network-services enable
config default-network-services
edit 1
set port 443
set services https
set violation-action monitor
next
end
next
end

Kind regards
Sarandis

v_ceban · ‎09-14-2023

Hello Sarandis,

With this config in place, FortiProxy will just redirect proxy sessions to the upstream proxy and won't handle them, it does not have any traffic to scan in order to identify the Application. You may need to apply Application control on the upstream proxy that will establish connections with the accessed destinations and will handle all the traffic.

Vladislav Ceban

Sarandis · ‎09-18-2023

Hello Vladislav,

Thanks for your answer. I tried the same configuration without upstream proxy, but still the same behavior was observed.

Kind regards

Sarandis

HarshChavda · ‎09-14-2023

Hello @Sarandis ,

You've set client-certificate bypass. Make sure this setting aligns with your actual needs and won't interfere with the SSL inspection. You've already enabled Deep Inspection, which is good. But make sure that the clients trust the FortiProxy CA certificate; otherwise, SSL inspection will fail. You mentioned that FortiProxy forwards all requests to an upstream proxy. Make sure that this upstream proxy is not altering the traffic in a way that prevents FortiProxy from performing application control. Ensure there are no firewalls or other network devices that could be affecting the traffic before it reaches the FortiProxy.

Sarandis · ‎09-18-2023

Hello,

Can you please explain how the client-certificates settings can affect the SSL inspection? In any case, client certificate is set to bypass and SSL client certificate is set to do-not-offer, which i think are the settings for not inspecting client certificates.

Yes, the clients trust the FortiProxy CA. Regarding the upstream proxy, i tried the same config without upstream proxy, but nothing changed. All other network firewalls are not altering the HTTP traffic.

Kind regards

Sarandis