Staff

Technical Tip: How to enable SSL Inspection and deep inspections from CLI and apply it to a policy

Forum|Forum|11 years ago
October 15, 2014
0 replies
38164 views

Description

This article explains the process of enabling SSL inspection or deep inspection through the CLI and how to implement it within a policy.

Scope

FortiGate.

Solution

To add a custom SSL deep inspection profile 'new-deep-inspection', on the CLI console on the FortiGate, run the commands below.

config firewall ssl-ssh-profile

edit new-deep-inspection

config ssl

set inspect-all deep-inspection

end

Note: This will enable the inspection for all ports. SSL Deep Inspection applies to all encrypted traffic (HTTPS, SMTPS, IMAPS, POP3S, FTPS, etc.) regardless of port, as long as the policy uses that profile.

Refer to .

The following commands can be run to view the configuration of the 'new-deep-inspection' profile.

config firewall ssl-ssh-profile

edit new-deep-inspection

show full-configuration

Apply SSL inspection profile on Policy by run the commands below:

config firewall policy

edit [policy_id]

set ssl-ssh-profile new-deep-inspection

next
end

Note:

To avoid the 'certificate error' when enabling the "Deep inspection", note that:

Either import a trusted CA certificate into FortiGate.
Or generate a CA on FortiGate or download the FortiGate's certificate and install it on all client devices as trusted.

This is described in:

Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryption on SSL Inspection.

If that does not work, the certifiacte 'fortinet_CA' has to be imported under Certificates -> CA certificates. Clear the browser cache and cookies, and then restart the browser.

Refer to .

Additional note:

Previously, on older FortiOS versions (7.0), default SSL/SSH inspection profiles (like certificate-inspection or deep-inspection) were able to be modified directly. However, in more recent FortiOS releases, default security profiles are locked in read-only mode for consistency and security.

To customize these settings, the profile must be cloned from a default profile. This process will allow personalized security configurations without risking the integrity of the built-in, pre-defined profiles.

For example, choose the deep-inspection profile as shown below, and then hit the Clone button at the top:

Deep-inspection clone.PNG

See how to clone a deep-inspection profile via CLI:

config firewall ssl-ssh-profile

clone <existing_profile_name> to <new_profile_name>

end

The profile will be created as shown below:

Clone created.PNG

In the firewall policy, the profile option will show in the SSL deep Inspection drop-down menu as shown below:

The SSL deep Inspection profile will be visible on the Policy list as below:

On the CLI:

config firewall policy

edit 1

set ssl-ssh-profile "Clone of custom-deep-inspection"

Also note that the security profile can be renamed, it does not need to keep the name 'Clone'.

Key notes:

Without CA installation: Clients/Host will see certificate errors for all inspected traffic.
Exemptions: For banking or government sites, add exceptions under SSL/SSH Profile -> Exemptions might be required.
Performance Impact: Deep inspection can be CPU-intensive on high traffic networks.

Related articles:

Troubleshooting Tip: 'Certificate is not a CA file' when importing a CA certificate in FortiGate

Technical Tip: Configuring Inbound SSL Deep Inspection

Technical Tip: How to check which application requires deep SSL inspection under Application Control

Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection

Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection

Technical Tip: How to configure wildcard-FQDN custom and group

Technical Tip: Exempting certain categories from SSL inspection