Skip to main content
hetag
hetag
New Member
August 4, 2024
Question

Certificate recommendations

  • August 4, 2024
  • 3 replies
  • 2615 views

On a brand new deployment, I would like to start deploying web filtering. When applying the custom filter to the outbound policy, this requires SSL Inspection. Whether "Certificate-Inspection" or "deep-inspection" require browsers to have at certificate installed

As a test, I have manually installed on my browser the default "Fortinet_CA_SSL"

Is the installation of the Certificate really necessary?

Would it be a best practice to push this certificate to everyone or shall I create a new one? We do not have a CA server

3 replies

mpeddalla
Staff
mpeddalla
Staff
August 4, 2024

Hello @hetag  ,

 

Thank you for contacting the Fortinet Forum portal.

Generally, certificate inspection is used in flow-based inspection, and deep inspection is required when you are using proxy-based inspection and inspecting AV traffic, etc.,

article :

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/505842/certificate-inspection

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/122078/deep-inspection

-In both, you need a certificate if you are doing inspection as below :

https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspection/ta-p/192301

 

1. In certificate-inspection with certificate inspection you do not need a certificate to be installed if you are not inspecting all ports.

2. Certificate inspection with full SSL inspection you need a certificate to be installed.

3. Deep inspection is set to full SSL inspection by default, so you need a certificate to be installed.

 

refer below screenshotcertificateforum.PNG

 

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

    sw2090
    SuperUser
    sw2090
    SuperUser
    August 5, 2024

    basically you will need Deep Packet Inspection if you want to inspect more then http requests or certificates. IPS,AV,APC etc will need to look into your traffic and that requires DPI. 

    And DPI will require a CA or SubCA Certificate because of the way it works. It is basically a man-in-the-middel one so it needs to decrypt https traffic and then re-encrypt it before sending it on to the client. When it re-encrypts traffic it needs to keep the CommonName (CN) or/and SubjectAlternae Name(s) (SAN)  in the certificate but cannot use the original one becuase it doesn't have the private key.  So it needs to issue a new cert with thge oringinal cert's CN/SAN and for that it needs to have a CA or SubCA Certificate.

      WFF-Master
      WFF-Master
      New Member
      August 5, 2024

      As sw2090, already said:
      within the Deep Packet Inspection the original Certificate will be replaced by the Firewall. This is a "must".
      Because of that the Endpoint-Clients must trust the certification authority which is the Firewall. The Client must therefore be aware of the certificate of the issuing authority  (Here: the Firewall) as Part of "Trusted Root Certification Authorities". If you don't have a PKI or a CA-Server there is no other way than to install the Firewalls CA-Certificate manually to the needed Clients

      Terms & ConditionsAccessibility statement