Fortinet 653 FortiWeb 5.0 Patch 6 Administration Guide
Debugging the packet processing flowIf you have determined that network traffic is not entering and leaving the FortiWeb appliance as
expected, or not flowing through policies and scans as expected, you can debug the packet
flow using the CLI.
diagnose debug enable
diagnose debug flow filter policy policy-name Policy1
diagnose debug flow filter policy source-ip 172.16.1.20
For details, see the FortiWeb CLI Reference.
Checking the SSL/TLS handshake & encryptionIf the client is attempting to make an HTTPS connection, but the attempt fails after the
connection has been initiated, during negotiation, the problem may be with SSL/TLS.
Symptoms may include error messages such as:
•ssl_error_no_cypher_overlap
(Mozilla Firefox 9.0.1)
•Error 113 (net::ERROR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown
error.
(Google Chrome 16.0.912.75 m)
Expected SSL/TLS behavior varies by SSL inspection vs. SSL offloading (see “Offloading vs.
inspection” on page 277):
•SSL offloading — Reverse proxy mode only (see “Supported features in each operation
mode” on page 62).
The handshake is between the client and FortiWeb. If the connection cannot be established,
verify that the browser supports one of the key exchanges, encryption algorithms, and
authentication (hashes) offered by FortiWeb. See “Supported cipher suites & protocol
versions” on page 279.
•SSL inspection — Offline protection mode and transparent inspection mode only.
The handshake is between the client and the web server. If the connection cannot be
established, verify that the browser supports one of the key exchanges, encryption
algorithms, and authentication (hashes) suggested by the web server. Server-side, you must
also verify that your web server supports enough cipher suites that all required clients can
connect.
If you are not sure which cipher suites are currently supported, you can use SSL tools such as
OpenSSL to discover support. For example, you could use this client-side command to know
whether the web server or FortiWeb supports strong (HIGH) encryption:
openssl s_client -connect example.com:443 -cipher HIGH
Google Chrome will prefer an anonymous Diffie-Hellman key exchange. This has the property of
perfect forward secrecy, which makes SSL inspection theoretically impossible. To guarantee
that this is not used to hide attacks from FortiWeb, you must disable it on your web server. On
Apache, you would add !ADH to the SSLCipherSuite configuration line. For example:
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW