FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adash_FTNT
Staff
Staff
Description
This article explains how to enable SSL Inspection from CLI and apply it on a policy.

Scope
FortiGate-40C, FortiGate-20C, FortiGate-30D, FortiGate-80C, FortiGate-90D.

Solution
1.) Check and edit the SSL inspection profile “default” and to enable inspection for all ports.

Log in to the FortiGate using command line and Run the following commands.

   config firewall deep-inspection-options
    edit default
    config ssl
    set inspect-all enable
    end
   end

2.) Add a custom SSL inspection profile.

   config firewall deep-inspection-options
    edit test
    config ssl
    set inspect-all enable
    end
   end

The following commands can be run to view the configuration of “test” profile.

   config firewall deep-inspection-options
    edit test
   show full-configuration

3.) Apply  SSL inspection profile on Policy.

Run the following commands

   config firewall policy
    edit [policy_id]
    set deep-inspection-options [SSL Inspection_profile_name]
    end
   end

4.) Enable “SSL inspection” column under the policy page.

Under policy, “SSL inspection” needs to be selected in the column settings to be able to see which policy is applied with what “SSL inspection”.

adash_FD35121_tn_FD35121.jpg

Note: After enabling SSL inspection you need to import the certificates on the browsers to avoid getting “certificate error”, this is described in the related KB article.

If this does not work, import the "fortinet_CA" certificate that is available under certificates>CA certificates, clear the browser cache and cookies, restart the browser.

Related Articles

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Contributors