Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎11-22-2023 09:41 PM

Article Id 285680

Technical Tip: Unable to connect to ZTNA Access Proxy server when FIPS-CC is enabled on FortiGate

Description

 

This article describes the configuration required to allow traffic to the ZTNA Access Proxy Server when FortiGate is running FIPS-CC mode.

Consider a ZTNA Access Proxy server configured as any of the examples from the documentation below:

ZTNA configuration examples

 

When a user attempts a connection to the external IP address or FQDN and port of the ZTNA Server VIP, it will fail and ZTNA traffic logs will not be generated.

The same occurs to traffic triggered by a ZTNA Destination rule for TCP Forwarding traffic.

 

A packet capture will show the TCP handshake established from the endpoint to FortiGate Access proxy VIP, but the TLS handshake will fail and only a Client Hello packet will be seen.

The reason there is no Server Hello packet for the TLS handshake is that the proxy service (WAD) in FortiGate rejects the cipher sent in the Client Hello and drops the connection.

 

If debug logs are enabled for the proxy service (WAD) with the commands below, the below errors will be displayed;


diagnose wad debug enable all
diagnose wad filter src <client public IP>
diagnose debug enable

[I][p:3476][s:27231] wad_vs_ssl_port_caps_c2p_on_client_hello:9693 1:Colombas-FIPS: wsp(0x7ff7ad9ed048)
handshake recv ClientHello record 3.1 client 3.3 supported 3.4
[V][p:3476][s:27231] wad_vs_proxy_match_vhost :3845 1:Colombas-FIPS: matching vhost by: 192.168.10.240
[V][p:3476][s:27231] wad_vs_matcher_map_find :635 Empty matcher!
[V][p:3476][s:27231] wad_vs_proxy_match_vhost :3848 1:Colombas-FIPS: no host matched.
[I][p:3476][s:27231] wad_vs_ssl_port_client_hello_validate_psk:8444 vsp(0x7ff7ad9ed048)
[V][p:3476][s:27231] wad_ssl_port_c2p_validate_psk :7315 wsp=0x7ff7ad9ed048/10 id=(nil) modes=0
[W][p:3476][s:27231] wad_ssl_port_c2p_validate_psk :7321 wsp=0x7ff7ad9ed048/10 no psk id!
[I][p:3476][s:27231] wad_vs_ssl_port_client_hello_validate_psk:8467 wsp(0x7ff7ad9ed048/10) verified PSK: 0
[I][p:3476][s:27231] wad_vs_find_tls_1_3_cipher :8954 wsp(0x7ff7ad9ed048/10) cs_pre=0000 g_pre=0
[E][p:3476][s:27231] wad_vs_find_tls_1_3_cipher :9038 wsp 0x7ff7ad9ed048 ssl no matching CipherSuite, abort
[I][p:3476][s:27231] wad_ssl_app_port_fts_in_close :17208 sp=0x7ff7ad9ed048/10 recv close request from fts close-type=0 closed=0
[I][p:3476][s:27231] wad_ssl_port_task_end :15356 sp=0x7ff7ad9ed048/10 state=1 good=0
[I][p:3476][s:27231] wad_tcp_port_proc_end :799 tcp=0x7ff7af15b048 socket=47 good=0 both ends closed.

 

The proxy service is unable to find a compatible cipher suite, especially if the same cipher suite can be used with a TLS version lower than 1.3., then it rejects the cipher, closing the connection.

 

Scope

 

FortiOS FIPS-CC v7.0+, v7.2+, v7.4+, ZTNA Access Proxy.

 

Solution

 

This is a known issue registered under ID 917883. Development is investigating but there is no ETA as of now.
The workaround is to disable TLS 1.3 for the ZTNA Access Proxy VIP with the command 'set ssl-max-version tls-1.2'.

config firewall vip

    edit <ztna server vip name>

        set ssl-max-version tls-1.2

    next

end

542
Submit Article Idea
Comments
gagandeeps
Staff
Staff
‎11-23-2023 07:08 AM

Thank you Carlos for this share

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.