Fortinet black logo

FortiGate-6000 Handbook

SSL mirroring support

SSL mirroring support

You can configure your FortiGate-6000 to "mirror" or send a copy of traffic decrypted by SSL inspection to one or more interfaces so that the traffic can be collected by a raw packet capture tool for archiving or analysis.

Caution

Decryption, storage, inspection, and use decrypted content is subject to local privacy rules. Use of these features could enable malicious users with administrative access to your FortiGate to harvest sensitive information submitted using an encrypted channel.

For more information about FortiOS support for SSL mirroring, see Mirroring SSL inspected traffic,

Example SSL mirroring configuration

SSL mirroring is available for VDOMs operating in flow mode. You can enable flow mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure SSL mirroring , and setting Inspection Mode to Flow-based.

From the CLI you can edit the VDOM and enable flow inspection mode.

config vdom

edit mirror-vdom

config system settings

set inspection-mode flow

end

To enable SSL mirroring, add a firewall policy to accept the traffic that you want to be mirrored. In the policy, enable the SSL-mirror option and set ssl-mirror-intf to the interface to which to send decrypted packets.

config firewall policy

edit 4

set name "ssl-mirror-example"

set uuid f4b612d0-2300-51e8-f15f-507d96056a96

set srcintf "port10"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set ssl-mirror enable

set ssl-mirror-intf "port20"

set ips-sensor "default"

set application-list "default"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end

You can use the following command from an FPC CLI to verify the mirrored traffic:

diagnose sniffer packet port20 'port 443' -c 50
interfaces=[port20]
filters=[port 443]
pcap_lookupnet: port20: no IPv4 address assigned
0.440714 8.1.1.69.18478 -> 9.2.1.130.443: syn 582300852
0.440729 9.2.1.130.443 -> 8.1.1.69.18478: syn 3198605956 ack 582300853
0.440733 8.1.1.69.18478 -> 9.2.1.130.443: ack 3198605957
0.440738 8.1.1.69.18478 -> 9.2.1.130.443: psh 582300853 ack 3198605957
0.441450 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198605957 ack 582301211
0.441535 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198607351 ack 582301211
0.441597 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198608747 ack 582301211
0.441636 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198610143 ack 582301211
0.441664 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198611539 ack 582301211
0.441689 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198612935 ack 582301211
0.441715 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198614331 ack 582301211
0.441739 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198615727 ack 582301211
0.441764 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198617123 ack 582301211

SSL mirroring support

SSL mirroring support

You can configure your FortiGate-6000 to "mirror" or send a copy of traffic decrypted by SSL inspection to one or more interfaces so that the traffic can be collected by a raw packet capture tool for archiving or analysis.

Caution

Decryption, storage, inspection, and use decrypted content is subject to local privacy rules. Use of these features could enable malicious users with administrative access to your FortiGate to harvest sensitive information submitted using an encrypted channel.

For more information about FortiOS support for SSL mirroring, see Mirroring SSL inspected traffic,

Example SSL mirroring configuration

SSL mirroring is available for VDOMs operating in flow mode. You can enable flow mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure SSL mirroring , and setting Inspection Mode to Flow-based.

From the CLI you can edit the VDOM and enable flow inspection mode.

config vdom

edit mirror-vdom

config system settings

set inspection-mode flow

end

To enable SSL mirroring, add a firewall policy to accept the traffic that you want to be mirrored. In the policy, enable the SSL-mirror option and set ssl-mirror-intf to the interface to which to send decrypted packets.

config firewall policy

edit 4

set name "ssl-mirror-example"

set uuid f4b612d0-2300-51e8-f15f-507d96056a96

set srcintf "port10"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set logtraffic all

set ssl-mirror enable

set ssl-mirror-intf "port20"

set ips-sensor "default"

set application-list "default"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end

You can use the following command from an FPC CLI to verify the mirrored traffic:

diagnose sniffer packet port20 'port 443' -c 50
interfaces=[port20]
filters=[port 443]
pcap_lookupnet: port20: no IPv4 address assigned
0.440714 8.1.1.69.18478 -> 9.2.1.130.443: syn 582300852
0.440729 9.2.1.130.443 -> 8.1.1.69.18478: syn 3198605956 ack 582300853
0.440733 8.1.1.69.18478 -> 9.2.1.130.443: ack 3198605957
0.440738 8.1.1.69.18478 -> 9.2.1.130.443: psh 582300853 ack 3198605957
0.441450 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198605957 ack 582301211
0.441535 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198607351 ack 582301211
0.441597 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198608747 ack 582301211
0.441636 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198610143 ack 582301211
0.441664 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198611539 ack 582301211
0.441689 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198612935 ack 582301211
0.441715 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198614331 ack 582301211
0.441739 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198615727 ack 582301211
0.441764 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198617123 ack 582301211