Fortinet 5.0 Patch 6 Debugging the packet processing flow, Checking the SSL/TLS handshake & encryption

Fortinet 653 FortiWeb 5.0 Patch 6 Administration Guide

Debugging the packet processing flow

If you have determined that network traffic is not entering and leaving the FortiWeb appliance as

expected, or not flowing through policies and scans as expected, you can debug the packet

flow using the CLI.

diagnose debug enable

diagnose debug flow filter policy policy-name Policy1

diagnose debug flow filter policy source-ip 172.16.1.20

For details, see the FortiWeb CLI Reference.

Checking the SSL/TLS handshake & encryption

If the client is attempting to make an HTTPS connection, but the attempt fails after the

connection has been initiated, during negotiation, the problem may be with SSL/TLS.

Symptoms may include error messages such as:

•ssl_error_no_cypher_overlap 

(Mozilla Firefox 9.0.1)

•Error 113 (net::ERROR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown

error. 

(Google Chrome 16.0.912.75 m)

Expected SSL/TLS behavior varies by SSL inspection vs. SSL offloading (see “Offloading vs.

inspection” on page 277):

•SSL offloading — Reverse proxy mode only (see “Supported features in each operation

mode” on page 62). 

The handshake is between the client and FortiWeb. If the connection cannot be established,

verify that the browser supports one of the key exchanges, encryption algorithms, and

authentication (hashes) offered by FortiWeb. See “Supported cipher suites & protocol

versions” on page 279.

•SSL inspection — Offline protection mode and transparent inspection mode only. 

The handshake is between the client and the web server. If the connection cannot be

established, verify that the browser supports one of the key exchanges, encryption

algorithms, and authentication (hashes) suggested by the web server. Server-side, you must

also verify that your web server supports enough cipher suites that all required clients can

connect.

If you are not sure which cipher suites are currently supported, you can use SSL tools such as

OpenSSL to discover support. For example, you could use this client-side command to know

whether the web server or FortiWeb supports strong (HIGH) encryption:

openssl s_client -connect example.com:443 -cipher HIGH

Google Chrome will prefer an anonymous Diffie-Hellman key exchange. This has the property of

perfect forward secrecy, which makes SSL inspection theoretically impossible. To guarantee

that this is not used to hide attacks from FortiWeb, you must disable it on your web server. On

Apache, you would add !ADH to the SSLCipherSuite configuration line. For example:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW