Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Ignore AUTH TLS command for DLP

If the FortiGate receives an AUTH TLS (PBSZ and PROT) command before receiving plain text traffic from a decrypted device, by default, it will expect encrypted traffic, determine that the traffic belongs to an abnormal protocol, and by-pass the traffic.

When the ssl-offloaded command is enabled, the AUTH TLS command is ignored, and the traffic is treated as plain text rather than encrypted data.

To ignore received AUTH TLS commands:
config firewall profile-protocol-options
    edit "test"
        config ftp
            set ssl-offloaded yes
        end
        config imap
            set ssl-offloaded yes
        end
        config pop3
            set ssl-offloaded yes
        end
        config smtp
            set ssl-offloaded yes
        end
    next
end

Ignore AUTH TLS command for DLP

If the FortiGate receives an AUTH TLS (PBSZ and PROT) command before receiving plain text traffic from a decrypted device, by default, it will expect encrypted traffic, determine that the traffic belongs to an abnormal protocol, and by-pass the traffic.

When the ssl-offloaded command is enabled, the AUTH TLS command is ignored, and the traffic is treated as plain text rather than encrypted data.

To ignore received AUTH TLS commands:
config firewall profile-protocol-options
    edit "test"
        config ftp
            set ssl-offloaded yes
        end
        config imap
            set ssl-offloaded yes
        end
        config pop3
            set ssl-offloaded yes
        end
        config smtp
            set ssl-offloaded yes
        end
    next
end