Description
Scope
Solution
This article explains how to enable SSL Inspection from CLI and apply it on a policy.
Scope
FortiGate-40C, FortiGate-20C, FortiGate-30D, FortiGate-80C, FortiGate-90D.
Solution
1.) Check and edit the SSL inspection profile “default” and to enable inspection for all ports.
Log in to the FortiGate using command line and Run the following commands.
config firewall deep-inspection-options
edit default
config ssl
set inspect-all enable
end
end
2.) Add a custom SSL inspection profile.
config firewall deep-inspection-options
edit test
config ssl
set inspect-all enable
end
end
The following commands can be run to view the configuration of “test” profile.
config firewall deep-inspection-options
edit test
show full-configuration
3.) Apply SSL inspection profile on Policy.
Run the following commands
config firewall policy
edit [policy_id]
set deep-inspection-options [SSL Inspection_profile_name]
end
end
4.) Enable “SSL inspection” column under the policy page.
Under policy, “SSL inspection” needs to be selected in the column settings to be able to see which policy is applied with what “SSL inspection”.
Note: After enabling SSL inspection you need to import the certificates on the browsers to avoid getting “certificate error”, this is described in the related KB article.
If this does not work, import the "fortinet_CA" certificate that is available under certificates>CA certificates, clear the browser cache and cookies, restart the browser.
Log in to the FortiGate using command line and Run the following commands.
config firewall deep-inspection-options
edit default
config ssl
set inspect-all enable
end
end
2.) Add a custom SSL inspection profile.
config firewall deep-inspection-options
edit test
config ssl
set inspect-all enable
end
end
The following commands can be run to view the configuration of “test” profile.
config firewall deep-inspection-options
edit test
show full-configuration
3.) Apply SSL inspection profile on Policy.
Run the following commands
config firewall policy
edit [policy_id]
set deep-inspection-options [SSL Inspection_profile_name]
end
end
4.) Enable “SSL inspection” column under the policy page.
Under policy, “SSL inspection” needs to be selected in the column settings to be able to see which policy is applied with what “SSL inspection”.
Note: After enabling SSL inspection you need to import the certificates on the browsers to avoid getting “certificate error”, this is described in the related KB article.
If this does not work, import the "fortinet_CA" certificate that is available under certificates>CA certificates, clear the browser cache and cookies, restart the browser.
Related Articles
Labels: