Skip to main content
dirkdigs
dirkdigs
New Member
July 29, 2014
Question

cant remove SSL inspection profile

  • July 29, 2014
  • 11 replies
  • 17901 views
I have a couple options on a few policy that I am not able to remove. Firmware 5.2 *profile-protocol-options Profile protocol options. *ssl-ssh-profile SSL SSH Profile. Does anyone know why I would not be able to remove them? I do not want to use SSL inspection profile.

    11 replies

    dirkdigs
    dirkdigsAuthor
    New Member
    July 29, 2014
    if i uncheck all other UTM features (AV, Web, APP, Email) in the policy then it allows me to turn off ssl/ssh inspection. as soon as a put any of them back it comes back by itself. i checked two different units (100d, f/w 5.2) and the behaviour was the same. can someone xplain this to me?
    Warren_Olson_FTNT
    Staff
    Warren_Olson_FTNT
    Staff
    July 30, 2014
    I don' t know if I would classify this as a bug persay but I would open a ticket with support. You can still disable all the options within the profile and the certificate based check should only apply for webfiltering, which can be disabled in the webfilter profile anyway, so its probably not a big deal to leave it like that.
    lightmoon1992
    lightmoon1992
    New Member
    July 30, 2014
    You may select SSL inspection profile by which you disable the inspection for the intended protocol. Mohammad
    dirkdigs
    dirkdigsAuthor
    New Member
    July 30, 2014
    here you can see it does not allow me to remove it.
    lightmoon1992
    lightmoon1992
    New Member
    July 30, 2014
    but you still can select new profile " test for example" which is configured to disable SSL inspection for the intended protocol. attached screenshot illustrate the settings Mohammad
    dirkdigs
    dirkdigsAuthor
    New Member
    July 30, 2014
    my profile options look different. please take a look. which inspection method should i use?
    lightmoon1992
    lightmoon1992
    New Member
    July 30, 2014
    You need to select " Full SSL inspection" radio box under the inspection method Mohammad
    netmin
    netmin
    New Member
    July 30, 2014
    These changes in 5.2 are documented in the What' s New guide ... not an ideal design ... but not a bug as well.
    If any security profile is used in a security policy, SSL inspection will automatically be enabled, at which point an SSL mode must be selected ...
    dirkdigs
    dirkdigsAuthor
    New Member
    July 30, 2014
    ok i still dont really know what it does. can anybody explain how it works?
    lightmoon1992
    lightmoon1992
    New Member
    July 30, 2014
    In SSL inspection profile, you are basically enabling the man-in-the-middle for specific protocol type (https, ssh, imaps, etc). this is to tell the FortiGate either to look into the plain text tarffic only, or to put the effort to intercept encrypted traffic, so it can look into it. this is the simplest i believe Mohammad
    Show more replies
    Terms & ConditionsAccessibility statement