Technical Tip: Custom Full Inspection with Inspect All ports

Description

This article describes how to configure the SSL/SSH Inspection profile to inspect traffic on all ports.
By default, the deep-inspection profile will not inspect all ports, and some traffic might not be inspected completely.

Scope

FortiGate v7.0+.

Solution

1. Clone the deep-inspection profile. Under Security Profiles -> SSL/SSH Inspection, 'right-click' on deep-inspection and select 'Clone'. Provide a new name, for example 'Clone of deep-inspection', and select OK to save. 
   
   

 

2. Edit the 'Clone of deep-inspection' profile, enable 'Inspect All Ports', and select OK.

 

 

3. Under Policy & Objects -> Firewall Policy, select the corresponding firewall policy and select 'Edit'. Change 'SSL Inspection' to 'Clone of deep-inspection' and select OK to save. 
   
   

 

To enable 'Inspect All Ports' in the CLI: 

config firewall ssl-ssh-profile

    edit "Clone of deep-inspection"

        config ssl

            set inspect-all deep-inspection
        end

    next

end