Does Fortigate manipulate a certificate traffic?

DashingCodyRhodes · ‎02-26-2024

Hi,

I'm having a issue in the network where we're trying to setup a Bloomberg test connection from one of our local servers. The setup is pretty straight forward:

1. stunnel to load the cert from bloomberg

2. local app to trigger the traffic

This setup works perfectly fine in our Production environment but fails miserably at our UAT. The main error that we keep seeing is TCP_reset_from_client whenever we try to initiate a connection towards them. Bloomberg insist that we're doing something wrong on our network even though we've turned off the ssl cert inspection and allowed all service to pass thru.

My question is, does Fortigate manipulate a cert traffic in any way shape or form? Has anyone experienced this kind of error where a cert you're sending is getting dropped?

Thanks

srajeswaran · ‎02-26-2024

Certificate packets can he of large size and fragmentation/MTU can come into picture and drop it. If we can take a packet capture on ingress and egress interface and compare, it will give us better idea of what is happening.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

smaruvala · ‎02-26-2024

Hello,

As certificates are large they usually be segmented into multiple TCP packets. These packets will usually have the DF or don't fragment bit to set as 1. Most probably the client might have note received the complete SSL/TLS server hello packet with the entire certificate hence it could be sending the RST packet. This is a common issue in the network. So as @srajeswaran mentioned better to take a packet capture and check this. If this is the issue then we can change the MSS Settings in the policy so that a smaller TCP segment size packet can be sent which could prevent the drop of the packet due to fragmentation in your network. Please note that this may not be an issue with the firewall.

Regards,

Shiva

DashingCodyRhodes · ‎02-29-2024

Thanks. I've captured the packet below for reference.

Who causes the RST from the packet below? source or destination?

Thanks

srajeswaran · ‎03-03-2024

10.70.56.119, is sending the RST (source). Also, the connection is reset before any certificate exchange, so the issue may not be related to certificate. Can you confirm from which interface this capture is taken? The interface between Fortigate and Internet or Fortigate and LAN? You may take similar capture from Internal interface and external interface to confirm the behavior.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

DashingCodyRhodes · ‎03-03-2024

That one is the closest to the destination, after that its the Bloomberg router at the prem (colocated).

I have a packet capture closest to the source as well

srajeswaran · ‎03-03-2024

As per this capture there is a Client Hello, as expected. but this packet is missing in the first capture (mostly getting dropped by a firewall/proxy). Can you take a pcap on the Fortigate internal interface, if the Client hello is coming to Fortigate , then Fortigate is dropping it and we need to run additional debugs.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

DashingCodyRhodes · ‎03-05-2024

Hi,

This one is the gateway of the UAT server

This one is the firewall at the DMZ which is directly after the meraki firewall above.

The flow is UAT Server (10.70.56.119) --> Meraki Internal Firewall --> Fortigate Firewall --> Bloomberg.

Thanks