FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193720


This article describes a situation that can be encountered when using a protection profile on encrypted email traffic.

In 4.0, on devices that support SSL Deep inspection, there are options for POP3S, IMAPS and SMTPS protocols.  These protocols are similar to HTTPS, in that communications are initiated with an SSL Certificate.

With a protection profile in place the certificate can look like if it was signed by Fortinet.  This is expected behavior if the unit is supposed to inspect the traffic. 

The only way this can be done is to man-in-the-middle the traffic.

This is also the default behavior of a protection profile.  Sometimes this behavior needs to be disabled.

FortiOS v4.0 and above, on devices that support SSL Deep Inspection.
Expectations, Requirements

The following CLI settings can be used to disable the proxies
config firewall profile
edit "(profile name)"
set imaps fragmail no-content-summary
set smpts fragmail no-content-summary
set pop3s fragmail no-content-summary