AnsweredHot!80C - Enabling SSL Inspection

Author
LaurentDumont
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/31 14:04:23
  • Status: offline
2019/08/19 18:12:22 (permalink)
0

80C - Enabling SSL Inspection

Hey everyone,
Currently attempting to enable SSL inspection/MITM on a 80C and it doesn't seem to be working.
  • I have a single FW rule for the outgoing NAT traffic.
  • I don't see the FGT certificate being presented to hosts browsing HTTPS sites behind the FW. I am seeing the traffic hitting the correct policy.
  • It doesn't have a license. It's just for testing stuff in a lab.
  • Running v5.6.3 build1547 (GA)
Relevant configurations : Security profile : https://i.imgur.com/lT5y8aL.png
FW rule with applied profile : https://i.imgur.com/u3OwQAw.png
Traffic hitting the FW and the correct policy : https://i.imgur.com/Pvx5pPC.png
Is the SSL inspection feature behind the paid license? Anything else I could try to properly tshoot this?
Let me know if there is anything else I can provide.
Thanks!
#1
orani
Silver Member
  • Total Posts : 91
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
Re: 80C - Enabling SSL Inspection 2019/08/19 22:22:50 (permalink) ☼ Best Answerby LaurentDumont 2019/08/20 18:39:21
0
What do you mean that it is not working.
You have to use SSL inspection with some other security profiles such as IPS or Web Filter.
#2
LaurentDumont
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/31 14:04:23
  • Status: offline
Re: 80C - Enabling SSL Inspection 2019/08/20 18:40:48 (permalink)
0
orani
What do you mean that it is not working.
You have to use SSL inspection with some other security profiles such as IPS or Web Filter.


That was it! I tried with a dummy web filter and it does intercept the SSL traffic now.
 
I am now trying to dump the decrypted SSL traffic. I've bolded the relevant commands. That said, I am not seeing any traffic on that interface. Anything else I should try?
 
FGT-LAURENT-DREAMHACK # show firewall policy 1
config firewall policy
edit 1
set name "ssl-inspection"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set ssl-mirror enable
set ssl-mirror-intf "wan2"
set webfilter-profile "web-filter-flow"
set profile-protocol-options "default"
set ssl-ssh-profile "test-all"
set nat enable
next
end
 
Thanks!
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5