Technical Tip: Configuring FortiGate to inspect HTTP and HTTPS traffic over non-standard ports

Description

Scope

FortiOS v7.0 and above.

Solution

1. Add the non-standard ports for HTTP from CLI :

config firewall profile-protocol-options

    edit <profile name>

        config http

            set ports 80 <----- Ports can be set here.

end

2. Edit SSL Inspection Profile for HTTPS:

• Go to Security Profiles > SSL Inspection.
• Edit or create an SSL Inspection Profile for deep inspection.
• Add the non-standard ports for HTTPS in the same manner as HTTP. 

3. Apply the Profiles to a Firewall Policy: Ensure that the newly created or edited Proxy Options and SSL Inspection Profiles are applied to the relevant firewall policy.

    

Additional Notes:

• Inspect All Ports: For the specific non-standard ports, enable the option to inspect all ports. This can be done by enabling the Inspect All Ports option in the SSL/SSH inspection profile.

• Certificate Management: When enabling deep inspection, ensure that a trusted CA certificate is imported into FortiGate or generated on FortiGate and installed on all client devices to avoid certificate errors.