Skip to main content
bcote
bcote
New Member
May 12, 2017
Solved

Disable SSL/SSH Inspection in FortiOS 5.6

  • May 12, 2017
  • 3 replies
  • 73358 views

Hi all,

 

still in pre-production but I was wondering how I can turn off the now(since 5.6) forced SSL/SSH inspection. I know it is becoming more and more necessary, but for now, in our environment, it is causing us much more headaches than benefits. Eventually, we want to get there, but the time isn't now. I was told there is a way in the CLI to turn it off. I can't seem to find the right cookbook/Document explaining how. 

 

Anybody running 5.6 that might know where to look to get this turned off? All the info I can find dates back to 5.2 and the same commands don't apply to 5.6 anymore.

 

Any help will be greatly appreciated.

Ben

    Best answer by bstevens

    Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing.  Cert errors and web filter is now filtering out images that were not previously filtered.   If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well.  At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.

    3 replies

    MikePruett
    MikePruett
    New Member
    May 13, 2017

    ssl cert inspection is hurting you? I'm running 5.6 and it isn't forcing deep inspection.

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    May 15, 2017

    Hi Ben,

     

    There was another thread with the same question:

     

    https://forum.fortinet.com/tm.aspx?tree=true&m=148779&mpage=1

     

    In short: The basic certificate-inspection is not doing a MiTM. It only scans the SNI of the Client Hello and SSL Certificate. Thus, you will not run into any SSL errors or problems with decrypting the sessions. In the past, with the older FortiOS, when users can choose to disable it, it would cause signatures to not work on HTTPS sessions if disabled. 

     

    Let's say we add a rule "www.facebook.com". Without enabling at least certificate-inspection, the rule will not work on https://www.facebook.com.

     

    HoMing

    bcote
    bcoteAuthor
    New Member
    May 25, 2017

    Hey guys,

     

    thanks for confirming this. I am planning a deployment for next weekend and it was one of the differences between my current installation and my new 1500D. I didn't want SSL Inspection to complicate the move to production. Ultimately, the goal will be to do Deep inspection at some point, simply not now.

     

    Thanks again,

     

    Ben

    gsarica
    gsarica
    New Member
    May 25, 2017

    5.6.0 completely broke deep inspection for us, it was working seamlessly on 5.4.3. I currently have a ticket open.

    bstevens
    bstevensAnswer
    New Member
    January 12, 2018

    Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing.  Cert errors and web filter is now filtering out images that were not previously filtered.   If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well.  At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.

    cblanco
    cblanco
    New Member
    March 23, 2018

    Currently experiencing the same issue. Everything was working fine.

    sebastan_bach
    sebastan_bach
    New Member
    April 29, 2018

    Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that. 

     

    Regards

     

    Sebastan

    Terms & ConditionsAccessibility statement