Fortinet black logo

New Features

Enhance TLS logging 7.0.1

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:183724
Download PDF

Enhance TLS logging 7.0.1

New options have been added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-server-cert-log {enable | disable}
        set ssl-handshake-log {enable | disable}
    next
end
To enable logging of server certificate information and TLS handshakes:
  1. Configure the SSL/SSH protocol options:
    config firewall ssl-ssh-profile
        edit "deep-inspection-clone"
            set comment "Read-only deep inspection profile."
            config https
                set ports 443
                set status deep-inspection
            end
            ...
            set ssl-exemptions-log enable
            set ssl-negotiation-log enable
            set ssl-server-cert-log enable
            set ssl-handshake-log enable
        next
    end
    Note

    In FortiOS 7.0.2 and later, the ssl-exemptions-log option is renamed to ssl-exemption-log.

  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
Sample SSL server certificate log
1: date=2021-06-17 time=16:55:26 eventtime=1623974126384215772 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 sni="www.fortinet.com" eventsubtype="server-cert-info" hostname="www.fortinet.com" notbefore="2021-03-13T00:00:00Z" notafter="2022-04-13T23:59:59Z" issuer="DigiCert TLS RSA SHA256 2020 CA1" cn="*.fortinet.com" san="*.fortinet.com;www.fortinet.com;fortinet.com" sn="000aa00a00000a00000a00a00aa000a0" ski="df9152b605cc18b346efb34de6907275dbdb2b3c" certhash="1d55cd34a1ed5d3f69bd825a45e04fbd2efba937" keyalgo="rsa" keysize=2048
Sample SSL handshake log
2: date=2021-06-17 time=16:55:26 eventtime=1623974126411127210 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 tlsver="tls1.3" sni="www.fortinet.com" cipher="0x1302" authalgo="rsa" kxproto="ecdhe" kxcurve="secp256r1" eventsubtype="handshake-done" hostname="www.fortinet.com" handshake="full" mitm="yes"
To view the logs in the GUI:
  1. Go to Log & Report > SSL.

Enhance TLS logging 7.0.1

New options have been added to the SSL/SSH profile to log server certificate information and TLS handshakes. New fields are added to the UTM SSL logs when these options are enabled.

config firewall ssl-ssh-profile
    edit <name>
        set ssl-server-cert-log {enable | disable}
        set ssl-handshake-log {enable | disable}
    next
end
To enable logging of server certificate information and TLS handshakes:
  1. Configure the SSL/SSH protocol options:
    config firewall ssl-ssh-profile
        edit "deep-inspection-clone"
            set comment "Read-only deep inspection profile."
            config https
                set ports 443
                set status deep-inspection
            end
            ...
            set ssl-exemptions-log enable
            set ssl-negotiation-log enable
            set ssl-server-cert-log enable
            set ssl-handshake-log enable
        next
    end
    Note

    In FortiOS 7.0.2 and later, the ssl-exemptions-log option is renamed to ssl-exemption-log.

  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
Sample SSL server certificate log
1: date=2021-06-17 time=16:55:26 eventtime=1623974126384215772 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 sni="www.fortinet.com" eventsubtype="server-cert-info" hostname="www.fortinet.com" notbefore="2021-03-13T00:00:00Z" notafter="2022-04-13T23:59:59Z" issuer="DigiCert TLS RSA SHA256 2020 CA1" cn="*.fortinet.com" san="*.fortinet.com;www.fortinet.com;fortinet.com" sn="000aa00a00000a00000a00a00aa000a0" ski="df9152b605cc18b346efb34de6907275dbdb2b3c" certhash="1d55cd34a1ed5d3f69bd825a45e04fbd2efba937" keyalgo="rsa" keysize=2048
Sample SSL handshake log
2: date=2021-06-17 time=16:55:26 eventtime=1623974126411127210 tz="-0700" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="vdom1" action="info" policyid=1 sessionid=6361 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.11 srcport=48892 dstip=18.140.21.233 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstuuid="8666f70e-cfb9-51eb-4991-9012417d69da" proto=6 tlsver="tls1.3" sni="www.fortinet.com" cipher="0x1302" authalgo="rsa" kxproto="ecdhe" kxcurve="secp256r1" eventsubtype="handshake-done" hostname="www.fortinet.com" handshake="full" mitm="yes"
To view the logs in the GUI:
  1. Go to Log & Report > SSL.