SSL mirroring support
You can configure your FortiGate-7000E to "mirror" or send a copy of traffic decrypted by SSL inspection to one or more interfaces so that the traffic can be collected by a raw packet capture tool for archiving or analysis.
Decryption, storage, inspection, and use of decrypted content is subject to local privacy rules. Use of these features could enable malicious users with administrative access to your FortiGate to harvest sensitive information submitted using an encrypted channel. |
For more information about FortiOS support for SSL mirroring, see Mirroring SSL inspected traffic,
Example SSL mirroring configuration
SSL mirroring is available for VDOMs operating in flow mode. You can enable flow mode from the Global GUI by going to System > VDOM, editing the VDOM for which to configure SSL mirroring , and setting Inspection Mode to Flow-based.
From the CLI you can edit the VDOM and enable flow inspection mode.
config vdom
edit mirror-vdom
config system settings
set inspection-mode flow
end
To enable SSL mirroring, add a firewall policy to accept the traffic that you want to be mirrored. In the policy, enable the SSL-mirror
option and set ssl-mirror-intf
to the interface to which to send decrypted packets.
config firewall policy
edit 4
set name "ssl-mirror-example"
set uuid f4b612d0-2300-51e8-f15f-507d96056a96
set srcintf <interface>
set dstintf <interface>
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set ssl-mirror enable
set ssl-mirror-intf <interface>
set ips-sensor "default"
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
end
You can use the following command from an FPM CLI to verify the mirrored traffic:
diagnose sniffer packet <interface> 'port 443' -c 50 interfaces=[1-C1/7] filters=[port 443] pcap_lookupnet: <interface>: no IPv4 address assigned 0.440714 8.1.1.69.18478 -> 9.2.1.130.443: syn 582300852 0.440729 9.2.1.130.443 -> 8.1.1.69.18478: syn 3198605956 ack 582300853 0.440733 8.1.1.69.18478 -> 9.2.1.130.443: ack 3198605957 0.440738 8.1.1.69.18478 -> 9.2.1.130.443: psh 582300853 ack 3198605957 0.441450 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198605957 ack 582301211 0.441535 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198607351 ack 582301211 0.441597 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198608747 ack 582301211 0.441636 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198610143 ack 582301211 0.441664 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198611539 ack 582301211 0.441689 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198612935 ack 582301211 0.441715 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198614331 ack 582301211 0.441739 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198615727 ack 582301211 0.441764 9.2.1.130.443 -> 8.1.1.69.18478: psh 3198617123 ack 582301211