Technical Tip: Explanation of SSL/TLS deep inspection limitation for FortiEDR Collector <> Aggregator/CORE communication

FortiEDR does not support SSL/TLS deep packet inspection for the communication between the FortiEDR Collector and the Aggregators and Core. The following is why:

1. Mutual Trust Requirement:

FortiEDR requires a mutual trust relationship between the client (Collector) and the server (Aggregator/Core)This means both the client and server must trust each other’s certificates.
SSL/TLS deep packet inspection is designed for a single-way trust model, where the client trusts the server, such as in typical online shopping scenarios. This model does not fit the mutual trust requirement of FortiEDR.

Figure 1: Example of an end-to-end encryption.

2. SSL connection issues:

Deep inspection can interfere with SSL connections by breaking the end-to-end encryption, which is essential for the secure communication required by FortiEDR. This interference can lead to connection errors, such as the error code -300060, which indicates SSL connection issues.

Figure 2: Example of broke end-to-end encryption.

3. Security and Functionality:

Disabling deep inspection ensures that the integrity and confidentiality of the communication between the FortiEDR components are maintained.
It prevents potential disruptions in the communication flow, ensuring that FortiEDR can effectively detect and respond to threats in real-time.

Recommended configuration:

To ensure proper communication between the FortiEDR Collector and the Aggregators/Core:

Create a firewall rule:
Implement a firewall rule that allows traffic to the Aggregator and Core IP addresses on ports 8081 and 555 without SSL inspection.

Verify connectivity: 

Use tools like 'telnet' and 'Test-NetConnection' to confirm connectivity to the Aggregator and Core servers.