FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rosalyn
Staff
Staff
Article Id 192298

Description

 

This article describes the case when using a proxy-based policy, the TCP 3-way handshake can be established between the client and the FortiGate, even without the completion of a 3-way handshake between the FortiGate and the server.

With the command 'set proxy-after-tcp-handshake enable', the TCP 3-way handshake will use IPS to handle it initially.
Only upon the establishment of the handshake with the server, does it reconstruct the sockets and redirect the session back to the proxy.

This article describes how to enable a proxy after a TCP handshake.

 

This feature is supported on FortiOS v6.4 and later versions.


Solution

 

To enable the command in an SSL/SSH profile.

 

config firewall ssl-ssh-profile

        edit "test"
            config https
                set ports 443
                set status certificate-inspection
                set proxy-after-tcp-handshake enable  <--
    end

 

To enable command in protocol options.

 

config firewall profile-protocol-options

    edit "test"
        config http
            set ports 80
            set proxy-after-tcp-handshake enable 
 <--
            unset options
            unset post-lang
end