Description
This article describes the steps to disable SSL/SSH inspection for a specific policy. It will also describe how to disable SSL/SSH inspection using a 'no-inspection' profile.
Scope
As a security appliance, FortiGate needs information about the traffic passing through a policy to correctly apply UTM profiles and filtering. The most important information exchanged with a web server is present in the SSL certificate. When the certificate is presented to the client, it must pass the firewall, and this is where SSL inspection comes in.
If FortiGate is to be used properly, filters the content, at least a certificate inspection is needed. This will check the certificate SNI (name of the website) and make a decision based on that.
By default, the SSL inspection profile 'certificate-inspection' is applied to all policies with UTM (security profiles). This means that no deep inspection is performed for SSL traffic.
Web filtering is performed on the information received in the server certificate.
Deep inspection is always recommended, and absolutely necessary if the filtering needs to be more precise.
Multiple sites have a wildcard certificate issued for the whole domain (*.fortinet.com), and a lot of subdomains use this name (fortiguard.fortinet.com, security.fortinet.com, chat.fortinet.com, etc). For all these subdomains, the certificate is the same, and the same action is taken by the Web filter. If the need is to block 'chat.fortinet.com' but at the same time allow 'fortiguard.fortinet.com', this can only be done with a deep-inspection profile.
Disabling the inspection is obviously not recommended. One may disable the UTM features altogether instead.
As an alternative, some websites can be specifically exempt from SSL inspection directly in the SSL-SSL profile.
Solution
FortiOS v6.2 to v7.6:
The profile named 'no-inspection' that is mentioned below, exists by default and can be used in policies
Alternatively to this profile, consider using the firewall policies the option 'set utm-status disable' in CLI, or disable all security profiles under the firewall policy in the GUI. Once disabled, no-inspection will appear under the options in SSL Inspection.
This will cause the policy to behave like a simple allow/deny policy or access list. No other security can be applied.
Also, consider the exempt list for the particular websites that do not work well with inspection enabled (some domains already included):
FortiOS v5.4 to v6.0:
- Manually create a 'no-inspection' SSL/SSH profile:
- Go to Security Profiles -> SSL/SSH inspection and select the '+' icon to create a new SSL/SSH inspection profile.
- Disable all the port details.
- Apply the above-created profile to the required policy where it is required to disable SSL/SSH inspection.
For the previous FortiOS 5.2 version (no longer supported):
- Create a separate policy for HTTPS without any security profiles applied (possible in this version).
- Use a customized SSL inspection profile, where port 443 is changed to an unused port. Traffic over that port will be inspected, so it may impact that traffic.
Related article:
Technical Tip: How to change SSL Inspection from certificate-inspection to no-inspection
