Technical Tip: Supported interface for SSL Mirror

This article discusses about supported interface to use SSL mirror in proxy inspection.

Loopback interface is not supported and it will be necessary to get malformed packet in the capture as per below screenshot

If there is no available port to use, use VLAN interface instead by creating a dummy VLAN interface as below

# config system interface

    edit "vlan600"

        set vdom "root"

        set device-identification enable

        set role lan

        set snmp-index 25

        set interface "port9"

        set vlanid 600   <----- Define any VLAN ID that not used in production.

    next

end

# config firewall decrypted-traffic-mirror

    edit "mirror"

        set interface "vlan600"

    next

end

Reference KB article SSL-Mirror:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Support-SSL-mirroring-in-proxy-mode/ta-p/193622