Support SSL mirroring in proxy mode
Zitat von mpca am 6. Dezember 2021, 11:37 Uhrhttps://community.fortinet.com/t5/FortiGate/Technical-Tip-Support-SSL-mirroring-in-proxy-mode/ta-p/193622?externalID=FD48776
Description
Support SSL mirroring in proxy mode.SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port.
Previously, this was supported in flow mode.
Support for proxy mode has been added.
A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies.
Full SSL inspection has to be used in the policy for the traffic mirroring to occur.This article describes how to support SSL mirroring in proxy mode.
Solution
When upgrading to FortiOS 6.4.0, the original 'ssl-mirror' and 'ssl-mirror-intf' profiles will be replaced with a new firewall decrypted-traffic-mirror profile named' __upg_pol_<#>'.
The default destination MAC is all FF, and the default source is client.
To configure SSL mirroring in proxy mode in the GUI.Go to Policy & Objects and create a new policy, or edit an existing one.
This example uses a firewall policy.In the policy settings, ensure the following are configured:
The 'Inspection Mode' is set to' Proxy-based'.The SSL Inspection profile uses Full SSL Inspection (if needed, select the pencil icon next to the dropdown to view the inspection profile settings).
Enable the Decrypted Traffic Mirror toggle.
The terms of use will appear in a separate pane.
Select 'Agree'.Beside the toggle, select 'Create' to configure a new decrypted traffic mirror and adjust the settings as needed.
In this example, the client is the decrypted traffic source and port3 is the interface.
Select 'OK' to save the traffic mirror settings.Select 'OK' to save the policy settings.
To configure SSL mirroring in proxy mode from the CLI:Create the decrypted traffic mirror profile.
# config firewall decrypted-traffic-mirror
edit SSL-to-port3
set dstmac ff:ff:ff:ff:ff:ff
set traffic-type ssl
set traffic-source client
set interface port3
next
end
Configure the policy to enable SSL traffic mirroring.
# config firewall policy
edit 1
set inspection-mode proxy
set ssl-ssh-profile deep-inspection
set decrypted-traffic-mirror SSL-to-port3
THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
Do you want to continue? (y/n)y
next
end
Description
Support SSL mirroring in proxy mode.
SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port.
Previously, this was supported in flow mode.
Support for proxy mode has been added.
A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies.
Full SSL inspection has to be used in the policy for the traffic mirroring to occur.
This article describes how to support SSL mirroring in proxy mode.
Solution
When upgrading to FortiOS 6.4.0, the original 'ssl-mirror' and 'ssl-mirror-intf' profiles will be replaced with a new firewall decrypted-traffic-mirror profile named' __upg_pol_<#>'.
The default destination MAC is all FF, and the default source is client.
Go to Policy & Objects and create a new policy, or edit an existing one.
The 'Inspection Mode' is set to' Proxy-based'.
Enable the Decrypted Traffic Mirror toggle.
Select 'Agree'.
Select 'OK' to save the traffic mirror settings.
To configure SSL mirroring in proxy mode from the CLI:
Create the decrypted traffic mirror profile.
# config firewall decrypted-traffic-mirror
edit SSL-to-port3
set dstmac ff:ff:ff:ff:ff:ff
set traffic-type ssl
set traffic-source client
set interface port3
next
end
Configure the policy to enable SSL traffic mirroring.
# config firewall policy
edit 1
set inspection-mode proxy
set ssl-ssh-profile deep-inspection
set decrypted-traffic-mirror SSL-to-port3
THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
Do you want to continue? (y/n)y
next
end