Fortinet black logo

Administration Guide

Mirroring SSL traffic in policies

Mirroring SSL traffic in policies

SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port. A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies in both flow and proxy mode. Full SSL inspection must be used in the policy for the traffic mirroring to occur.

SSL inspection is automatically enabled when you enable a security profile on the policy configuration page.

To configure SSL mirroring in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing one.
  3. Configure the interfaces, sources, and other required information.
  4. In the Security Profiles section, for SSL Inspection, select deep-inspection, or another profile that uses Full SSL Inspection.
  5. Enable Decrypted Traffic Mirror . The terms of use agreement opens.

  6. Click Agree to accept the terms.
  7. In the drop-down list, select a decrypted traffic mirror, or click Create to create a new one.

    In this example, a new decrypted traffic mirror is created using the port3 interface.

  8. Click OK to save the policy.
To configure SSL mirroring in proxy mode in the CLI:
  1. Create the decrypted traffic mirror profile:
    config firewall decrypted-traffic-mirror
        edit SSL-to-port3
            set dstmac ff:ff:ff:ff:ff:ff
            set traffic-type ssl
            set traffic-source client
            set interface port3
        next
    end
  2. Configure the policy to enable SSL traffic mirroring:
    config firewall policy
        edit 1
            set name "mirror-policy"
            set srcintf "port1"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
            set ssl-ssh-profile "deep-inspection"
            set decrypted-traffic-mirror "SSL-to-port3"
    
    THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:
    
    1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
    
    2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
    
    3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
    
    4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
    
    5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
    
    6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
    
    7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
    
    Do you want to continue? (y/n) y
        next
    end

Mirroring SSL traffic in policies

SSL mirroring allows the FortiGate to decrypt and mirror traffic to a designated port. A new decrypted traffic mirror profile can be applied to IPv4, IPv6, and explicit proxy firewall policies in both flow and proxy mode. Full SSL inspection must be used in the policy for the traffic mirroring to occur.

SSL inspection is automatically enabled when you enable a security profile on the policy configuration page.

To configure SSL mirroring in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing one.
  3. Configure the interfaces, sources, and other required information.
  4. In the Security Profiles section, for SSL Inspection, select deep-inspection, or another profile that uses Full SSL Inspection.
  5. Enable Decrypted Traffic Mirror . The terms of use agreement opens.

  6. Click Agree to accept the terms.
  7. In the drop-down list, select a decrypted traffic mirror, or click Create to create a new one.

    In this example, a new decrypted traffic mirror is created using the port3 interface.

  8. Click OK to save the policy.
To configure SSL mirroring in proxy mode in the CLI:
  1. Create the decrypted traffic mirror profile:
    config firewall decrypted-traffic-mirror
        edit SSL-to-port3
            set dstmac ff:ff:ff:ff:ff:ff
            set traffic-type ssl
            set traffic-source client
            set interface port3
        next
    end
  2. Configure the policy to enable SSL traffic mirroring:
    config firewall policy
        edit 1
            set name "mirror-policy"
            set srcintf "port1"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
            set ssl-ssh-profile "deep-inspection"
            set decrypted-traffic-mirror "SSL-to-port3"
    
    THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU, THE USER AND ITS ORGANIZATION ("CUSTOMER"), AND FORTINET. BEFORE YOU CONTINUE WITH THE TERMS AND CONDITIONS OF THIS CONTRACT (THE "FEATURE ENABLEMENT") CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY ENTERING YES, YOU, AS AN AUTHORIZED REPRESENTATIVE ON BEHALF OF CUSTOMER, CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT ("AGREEMENT") AND YOU REPRESENT THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT AND HAVE HAD SUFFICIENT OPPORTUNITY TO CONSULT WITH COUNSEL, PRIOR TO AGREEING TO THE TERMS HEREIN AND ENABLING THIS FEATURE. IF YOU HAVE ANY QUESTIONS OR CONCERNS, OR DESIRE TO SUGGEST ANY MODIFICATIONS TO THIS AGREEMENT, PLEASE CONTACT YOUR FORTINET SUPPORT REPRESENTATIVE TO BE REFERRED TO FORTINET LEGAL. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CONTINUE WITH THE ACCEPTANCE PROCESS. BY ACCEPTING THE TERMS AND CONDITIONS HEREIN, CUSTOMER HEREBY AGREES THAT:
    
    1. Customer represents and warrants that Customer, not Fortinet, is engaging this feature.
    
    2. Customer represents and warrants that Customer has provided the requisite notice(s) and obtained the required consent(s) to utilize this feature.
    
    3. Customer represents and warrants that Customer will only access data as necessary in a good faith manner to detect malicious traffic and will put in place processes and controls to ensure this occurs.
    
    4. Customer represents and warrants that Customer has the right to enable and utilize this feature, and Customer is fully in compliance with all applicable laws in so doing.
    
    5. Customer shall indemnify Fortinet in full for any of the above certifications being untrue.
    
    6. Customer shall promptly notify Fortinet Legal in writing of any breach of these Terms and Conditions and shall indemnify Fortinet in full for any failure by Customer or any of its employees or representatives to abide in full by the Terms and Conditions above.
    
    7. Customer agrees that these Terms and Conditions shall be governed by the laws of the State of California, without regards to the choice of laws provisions thereof and Customer hereby agrees that any dispute related to these Terms and Conditions shall be resolved in Santa Clara County, California, USA, and Customer hereby consents to personal jurisdiction in Santa Clara County, California, USA.
    
    Do you want to continue? (y/n) y
        next
    end