Troubleshoot Tip: Editing a read-only SSL-SSH profile

The RFC2616 standard introduce the SSL over HTTP that uses by default TCP/443 port.
However, there may be a website using non-standard ports. In those cases, if SSL-SSH 'deep-inspection' is in use, the traffic will not be deeply inspected.

It is recommended to clone the 'deep-inspection' in order to perform changes on it.
But in some scenarios with a large number of policies using this SSL-SSH(deep-inspection) profile, it is time-consuming to it for each of them.

Since read-only profiles can be edited/deleted by the system, it is impossible to do it with any admin-user (regardless of the admin-profile privileges).

config vdom

edit FTNT-Test

current vf=FTNT-Test:3

config firewall ssl-ssh-profile

edit deep-inspection

Cannot modify the read-only factory default profiles!

node_check_object fail! for name deep-inspection

value parse error before 'deep-inspection'

Command fail. Return code -657

An Automation Stitch can be used to perform changes on read-only profiles.
Note: Automation Stitches are executed by the system.

By default the read-only 'deep-inspection' profile is pre-configured as next:

config firewall ssl-ssh-profile

    edit "deep-inspection"

        set comment "Read-only deep inspection profile."

            config https

                set ports 443

                set status deep-inspection

            end

            config ftps

                set ports 990

                set status deep-inspection

            end

            config imaps

                set ports 993

                set status deep-inspection

            end

            config pop3s

                set ports 995

                set status deep-inspection

            end

            config smtps

                set ports 465

                set status deep-inspection

            end

            config ssh

                set ports 22

                set status disable

            end

            config dot

                set status disable

            end

        next

end

Example adding ports on HTTPS inspection into a read-only 'deep-inspection' profile.

config system automation-action

    edit "edit_ssl-ssh_read-only"

        set action-type cli-script

        set minimum-interval 1

        set script "end

           config vdom

                edit FTNT-Test

                    config firewall ssl-ssh-profile

                        edit deep-inspection

                            config https

                                set ports 443 9443 10443

                                set status deep-inspection

                                set unsupported-ssl-version allow

                            end

                        end"

                    set accprofile "super_admin"

                next

            end

            config system automation-trigger

                edit "edit-ssl-ssh_red-only_schedule"

                    set trigger-type scheduled

                    set trigger-minute 1

                next

            end

            config system automation-stitch

                edit "FTNT-Test"

                    set trigger "edit-ssl-ssh_red-only_schedule"

                        config actions

                            edit 1

                                set action "edit_ssl-ssh_read-only"

                                set required enable

                            next

                        end

                   next

                end

Note: If multiple VDOM's are not enabled, remove the 'config vdom' line from the script in the automation-action.

Finally, trigger the automation-stitch with the following command:

diagnose automation test <automation-stitch-name>

For example:

FortiGate-1100E (global) # diagnose automation test FTNT-Test

automation test is done. stitch:FTNT-Test

Changes made on a read-only 'deep-inspection' profile: