FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190691


This article describes the steps to disable SSL/SSH inspection for a specific policy. It will also describe how to disable SSL/SSH inspection using a 'no-inspection' profile.



As a security appliance, FortiGate needs information about the traffic passing through a policy in order to correctly apply UTM profiles and filtering. The most important information exchanged with a web server is present in the SSL certificate. When the certificate is presented to the client, it must pass the firewall, and this is where SSL inspection comes in. If it is wanted that FortiGate properly filters the content, at least a certificate inspection is needed. This will check the certificate SNI (name of the website) and make a decision based on that.
By default, the SSL inspection profile 'certificate-inspection' is applied to all policies with UTM (security profiles). This means that no deep inspection is performed for SSL traffic. 
Web filtering is performed on the information received in the server certificate.
Deep inspection is always recommended, and absolutely necessary if the filtering needs to be more precise.
Multiple sites have a wildcard certificate issued for the whole domain (*, and a lot of subdomains use this name (,,, etc). For all these subdomains, the certificate is the same, and the same action is taken by the Web filter. If the need is to block '' but at the same time allow '', this can be only done with a deep-inspection profile. 
Disabling the inspection is obviously not recommended. One may disable the UTM features altogether instead. 
As an alternative, some websites can be specifically exempt from SSL inspection directly in the SSL-SSL profile.



FortiOS 6.2 to 7.2:

- The profile named 'no-inspection' that is mentioned below, exists by default and can be used in policies

Alternatively to this profile, consider using in the firewall policies the option 'set utm-status disable'.


This will cause the policy to behave like a simple allow/deny policy, or access list. No other security can be applied. 

Also, consider the exempt list for the particular websites that do not work ok with inspection enabled (some domains already included):



FortiOS 5.4 to 6.0:
- Manually create a 'no-inspection' SSL/SSH profile:

- Go to Security Profiles -> SSL/SSH inspection and select on the '+' icon to create a new SSL/SSH inspection profile.

- Disable all the port details.




- Apply the above-created profile on the required policy where it is required to disable SSL/SSH inspection.


For previous FortiOS 5.2 version (no longer supported):

- Create a separate policy for HTTPS without any security profiles applied (possible in this version).

- Use a customized SSL inspection profile, where port 443 is changed to an unused port. Traffic over that port will be inspected, so it may impact that traffic.