Description
This article describes when a FortiGate is sandwiched between SSL encryption and decryption units.
Scope
FortiGate.
Solution
When a FortiGate is sandwiched between SSL encryption and decryption units, the FortiGate can process the decrypted traffic that passes between those units.
This feature adds support for decrypted traffic in application control.
In some pre-defined signatures, the signature is pre-marked with the require_ssl_di tag.
The force-inclusion-ssl-di-sigs option under application list allows users to control the inspection of dissected traffic.
When this option is enabled, the IPS engine forces the pre-marked SSL-based signatures to be applied to the decrypted traffic of the respective applications.
In the following topology, SSL Proxy 1 handles the client connection and SSL Proxy 2 handles the server connection, leaving the content unencrypted as traffic passes through the FortiGate.
To configure SSL-based application detection over decrypted traffic, enable 'force-inclusion-ssl-di-sigs' in the following config
config application list
edit "test"
set force-inclusion-ssl-di-sigs enable
next
end
edit "test"
set force-inclusion-ssl-di-sigs enable
next
end
Example pre-marked SSL-based signature:
