Enhance TLS logging 7.0.1
New options have been added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.
config firewall ssl-ssh-profile edit <name> set ssl-server-cert-log {enable | disable} set ssl-handshake-log {enable | disable} next end
To enable logging of server certificate information and TLS handshakes:
- Configure the SSL/SSH protocol options:
config firewall ssl-ssh-profile edit "deep-inspection-clone" set comment "Read-only deep inspection profile." config https set ports 443 set status deep-inspection end ... set ssl-exemptions-log enable set ssl-negotiation-log enable set ssl-server-cert-log enable set ssl-handshake-log enable next end
In FortiOS 7.0.2 and later, the
ssl-exemptions-log
option is renamed tossl-exemption-log
. - Configure the firewall policy:
config firewall policy edit 1 set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection-clone" set av-profile "av" set logtraffic all set nat enable next end
Sample SSL server certificate log
1: date=2021-06-17 time=16:55:26 eventtime=1623974126384215772 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 sni="www.fortinet.com" eventsubtype="server-cert-info" hostname="www.fortinet.com" notbefore="2021-03-13T00:00:00Z" notafter="2022-04-13T23:59:59Z" issuer="DigiCert TLS RSA SHA256 2020 CA1" cn="*.fortinet.com" san="*.fortinet.com;www.fortinet.com;fortinet.com" sn="000aa00a00000a00000a00a00aa000a0" ski="df9152b605cc18b346efb34de6907275dbdb2b3c" certhash="1d55cd34a1ed5d3f69bd825a45e04fbd2efba937" keyalgo="rsa" keysize=2048
Sample SSL handshake log
2: date=2021-06-17 time=16:55:26 eventtime=1623974126411127210 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 tlsver="tls1.3" sni="www.fortinet.com" cipher="0x1302" authalgo="rsa" kxproto="ecdhe" kxcurve="secp256r1" eventsubtype="handshake-done" hostname="www.fortinet.com" handshake="full" mitm="yes"
To view the logs in the GUI:
-
Go to Log & Report > SSL.