Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dradhakrishnan
Staff
Staff

Created on ‎12-30-2014 01:50 PM Edited on ‎11-26-2024 12:42 AM By Moderator

Article Id 190691

Technical Tip: How to disable SSL Inspection

Description


This article describes the steps to disable SSL/SSH inspection for a specific policy. It will also describe how to disable SSL/SSH inspection using a 'no-inspection' profile.

Scope

 

As a security appliance, FortiGate needs information about the traffic passing through a policy to correctly apply UTM profiles and filtering. The most important information exchanged with a web server is present in the SSL certificate. When the certificate is presented to the client, it must pass the firewall, and this is where SSL inspection comes in.
If it is wanted FortiGate properly filters the content, at least a certificate inspection is needed. This will check the certificate SNI (name of the website) and make a decision based on that.
 
By default, the SSL inspection profile 'certificate-inspection' is applied to all policies with UTM (security profiles). This means that no deep inspection is performed for SSL traffic. 
Web filtering is performed on the information received in the server certificate.
 
Deep inspection is always recommended, and absolutely necessary if the filtering needs to be more precise.
Multiple sites have a wildcard certificate issued for the whole domain (*.fortinet.com), and a lot of subdomains use this name (fortiguard.fortinet.com, security.fortinet.com, chat.fortinet.com, etc). For all these subdomains, the certificate is the same, and the same action is taken by the Web filter. If the need is to block 'chat.fortinet.com' but at the same time allow 'fortiguard.fortinet.com', this can be only done with a deep-inspection profile. 
 
Disabling the inspection is obviously not recommended. One may disable the UTM features altogether instead. 
As an alternative, some websites can be specifically exempt from SSL inspection directly in the SSL-SSL profile.

 

Solution


FortiOS 6.2 to 7.6:

The profile named 'no-inspection' that is mentioned below, exists by default and can be used in policies

Alternatively to this profile, consider using the firewall policies the option 'set utm-status disable' in CLI or disable all security profiles under the firewall policy in the GUI. Once disabled, no-inspection will appear under the options in SSL Inspection.

 

This will cause the policy to behave like a simple allow/deny policy, or access list. No other security can be applied. 

Also, consider the exempt list for the particular websites that do not work ok with inspection enabled (some domains already included):

 

AlexCFTNT_0-1668091376678.png


FortiOS 5.4 to 6.0:

  • Manually create a 'no-inspection' SSL/SSH profile:
  • Go to Security Profiles -> SSL/SSH inspection and select the '+' icon to create a new SSL/SSH inspection profile.
  • Disable all the port details.


kb_7440_1.png

 

  • Apply the above-created profile on the required policy where it is required to disable SSL/SSH inspection.
 

For previous FortiOS 5.2 version (no longer supported):

  • Create a separate policy for HTTPS without any security profiles applied (possible in this version).
  • Use a customized SSL inspection profile, where port 443 is changed to an unused port. Traffic over that port will be inspected, so it may impact that traffic.
93515
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.