FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a situation that can be encountered when using a protection profile on encrypted email traffic.
In 4.0, on devices that support SSL Deep inspection, there are options for POP3S, IMAPS and SMTPS protocols. These protocols are similar to HTTPS, in that communications are initiated with an SSL Certificate.
With a protection profile in place the certificate can look like if it was signed by Fortinet. This is expected behavior if the unit is supposed to inspect the traffic.
The only way this can be done is to man-in-the-middle the traffic.
This is also the default behavior of a protection profile. Sometimes this behavior needs to be disabled.
Scope FortiOS v4.0 and above, on devices that support SSL Deep Inspection. Expectations, Requirements
The following CLI settings can be used to disable the proxies
config firewall profile edit "(profile name)" set imaps fragmail no-content-summary set smpts fragmail no-content-summary set pop3s fragmail no-content-summary end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.