- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiGate and Tor
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate and Tor
Hello,
Is it possible to monitor Tor traffic using Fortinet products such as FortiGate? For example, is it possible to find out which website a user goes to through Tor?
Thank you.
Labels:
- Labels:
-
FortiGate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please check https://community.fortinet.com/t5/FortiGate/Technical-Tip-Blocking-and-monitoring-Tor-traffic/ta-p/1...
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hack3rcon
When you enable tor sensors to monitor traffic, Tor connection will not work. It will be blocked by Fortigate because of Deep inspection.
Tor browser seem to not accept fortigate deep inspection certificate, thus not creating a connection to Tor network. But in this case you will be able to see which site or IP it tries to connect.
Created on 11-02-2023 06:07 AM Edited on 11-02-2023 06:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you so much for your reply.
You said "But in this case you will be able to see which site or IP it tries to connect.", so, I can see that the client runs the Tor on the network and what sites it visits through the Tor. Am I right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will see the IP that Tor browser will try to create first connection.
When you open Tor browser, it tries to connect to Onion network, and starts to establish a connection.
Now Fortigate needs deep inspection enabled otherwise it wont recognize application used and sites visited.
Deep inspection requires usage of FortiGate certificate. Tor browser does not accept that, thus causing connection to not establish.
In Forward logs you will be able to see first IP that is supposed to give access to onion net. But since Tor is not able to connect to onion net, then no websites are browsed and nothing is shown in fortigate.
Hope this explanation is clear
Created on 11-02-2023 10:04 AM Edited on 11-02-2023 10:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you so much again for your reply.
Your answer raised other questions for me:
1- You said "Deep inspection requires usage of FortiGate certificate.", so, the FortiGate can only see the IP address of the Tor entry node. Can we conclude that the FortiGate either blocks the Tor or allows it to pass through?
2- Regarding the FortiGate certificate, is this the certificate that the FortiGate injects into the network traffic? For example, something similar to a certificate in web browsers.
3- If the deep inspection enabled, then can FortiGate see the usernames and passwords that are entered on websites such as Yahoo! And Gmail?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hack3rcon
Let's put it this way.
1. You are using a normal browser to navigate to internet. Use a policy with deep inspection in Fortigate.
Fortigate will use it's certificate to decrypt all traffic, scan make decisions based on the findings, encrypt and send it to server side. For client to accept this connection and not think for a MIDM, it needs to have Fortigate certificate installed. This is because client will see fortigate as server side.
Fortigate in this case will create 2 sessions, Client - Fortigate and Fortigate -Server.
On normal browser, you can install fortigate certificate as trusted root authority and creating ssl/tls sessions.
On tor browser, as far as i know, it is difficult to install certificates. This means that Fortigate will allow or deny traffic based on policy configuration, but Tor browser will not trust fortigate, resulting in session not being created.
2. You are right, this is the certificate used to be injected into network traffic
3. In deep inspection traffic is decrypted, so normally you can see usernames and passwords, but there is no way to extract that information, because decryption happens in hardware level and there is not possible for user to view traffic passing through, unless you configure some port mirroring for decrypted traffic as described in this link:
Technical Tip: Mirroring SSL inspected traffic - Fortinet Community
Regards,
Created on 11-03-2023 01:03 PM Edited on 11-03-2023 01:10 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks again.
Consider a company that uses FortiGate and FortiWeb devices:
1- How can the company install this certificate? Do they have to install it on the users web browser?
2- How can you determine if the administrator of these devices has activated deep inspection or not?
3- If deep inspection is not enabled, and I log into Yahoo! Or Gmail, the device administrator can't find my email password, but can he\she see my email name? For example, he\she notice that my Yahoo! email is example@yahoo.com.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Yes, they have to install it on users web browser
2. If you are not administrator of those devices, it is out of this community scope to give instructions on how to find what type of services has admin activated. ;)
3. If deep inspection is not activated, your web browsing data is not visible (including emails and passwords)
Regards,
Created on 11-04-2023 11:12 AM Edited on 11-04-2023 11:13 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks again for your reply.
1- Is the certificate installation process done automatically without the user's permission?
2- How can I find out if the certificate is installed or not? For example, the certificate of this community was issued by DigiCert Inc. If the certificate is installed, then should I see something like Fortinet instead DigiCert Inc?
Related Posts
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.