Skip to main content
ag611
ag611
New Member
July 4, 2018
Question

Testing SSL Deep Inspection

  • July 4, 2018
  • 2 replies
  • 24836 views

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.

I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.

 

I've created an IPV4 policy under "data (internal1) -> SD-WAN":

[ul]
  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection[/ul]

    But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.

    Is there something wrong with my policy that's causing it to not produce errors on this workstation?

     

    When I look at traffic logs, I can see that my policy, #24, is applying.

      • 2 replies

      emnoc
      emnoc
      New Member
      July 4, 2018

      I  wrote this up as a sure 100%  way to  know SSL inspection

      http://socpuppet.blogspot.com/2018/05/av-with-https-inspection-fortios.html

       

      But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow

       

      Ken Felix

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      July 5, 2018

      Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?

      ag611
      ag611Author
      New Member
      July 5, 2018

      Enable SSL Inspection of: Multiple clients connecting to multiple servers

       

      Inspection method: Full

       

      CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)

       

      Untrusted SSL Certificates: Allow

       

      RPC over HTTPS: Disabled

       

      Inspecting HTTPS, SMTPS, POP3S, IMAPS, FTPS

       

      Exempt from SSL Inspection: reputable websites disabled.

       

      Allow invalid ssl certificates: disabled

       

      Log SSL anomalies: enabled

      Tom_Spelda
      Tom_Spelda
      New Member
      March 19, 2019

      I am experiencing the same thing with my Fortigate 1200D.  Google has knowledge base article: https://support.google.com/chrome/a/answer/3504943?hl=en&ref_topic=3504941  

      where inside are useful tests for chromebooks and a note on how the chromebooks require a PEM based certificate.

      I opened a ticket with Fortinet support.

      Terms & ConditionsAccessibility statement