Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiTester
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiVoice
- FortiWAN
- FortiToken
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: How to enable Deep Content Inspecti...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Not applicable
Created on 07-14-2009 02:52 PM Edited on 06-02-2022 09:40 AM
Article Id
194320
Description
FortiOS versions 4.0 MR3 and 5.0.x include a deep scanning option, that includes support for scanning encrypted protocols when used with Anti Virus and Webfilter Profiles. To run this security information, server and client certificates must be obtained. This article describes the basic steps needed to enable this feature.
Scope
FortiOS firmware version 4.00 MR3
FortiOS firmware version 5.0.x
Solution
FortiGate models with ASIC version CP6 or higher have the option to do inspection of encrypted Web and email traffic (HTTPS,SMTPS,POPS,IMAPS). This will allow the FortiGate unit to perform virus and content inspection for those encrypted protocols.
To determine if a FortiGate unit supports the deep scanning, run the below command and verify ASIC version:
To determine if a FortiGate unit supports the deep scanning, run the below command and verify ASIC version:
FGT # get hardware status
[...]
ASIC version: CP6
[...]
To enable deep scanning, follow the below steps:
FortiOS firmware version 4.0 MR3:
Go to Policy > Protocol Options > HTTPS > Deep Scan > Enable and select apply to save the changes.
FortiOS firmware version 5.0.0:
Go to Policy > SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
Go to Policy > SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
FortiOS firmware version 5.0.1 and higher:
Go to Policy > UTM Proxy Options >SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
Go to Policy > UTM Proxy Options >SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
To avoid the warning message that pops up in the browser when using a custom certificate, a key and a password will need to be loaded onto the FortiGate, and a certificate will have to be loaded into the PCs web browser.
To create a signed certificate and a key, an OpenSSL software may be used: http://www.slproweb.com/products/Win32OpenSSL.html
Use the three commands listed on this website to create a certificate request, key file and sign it. http://webdesign.about.com/od/ssl/ht/new_selfsigned.htm
Once these three commands are completed:
- Go to the System > Certificates > Local, and select Import.
- Set the Type to Certificate.
- Select the CRT and KEY files that were created and enter the passcode to upload the cert.
To have the FortiGate USE this certificate go to the CLI and use the following syntax:
config firewall ssl setting
set caname (certificate filename)
end
Ensure to load the CRT file into the browser as trusted.
Related Articles
Troubleshooting Tip : Verifying server certificate on SSL Inspection
Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering
Labels:
Contributors
-
Anonymous
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.