FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 194320

Description

 

This article describes the basic steps needed to enable this feature.

FortiOS versions 4.0 MR3, 5.0.x, and higher include a deep scanning option that supports scanning encrypted protocols when used with Anti Virus and Webfilter Profiles. To run this security information, server and client certificates must be obtained. 


Scope

 

FortiOS firmware version 4.00 MR3.
FortiOS firmware version 5.0.x.

FortiOS firmware versions up to the latest branch 7.6.


Solution

 

FortiGate models with ASIC version CP6 or higher can inspect encrypted Web and email traffic (HTTPS, SMTPS, POPS, IMAPS). This will allow the FortiGate unit to perform virus and content inspection for those encrypted protocols.

To determine if a FortiGate unit supports deep scanning, run the below command and verify the ASIC version:

FGT # get hardware status
[...]
ASIC version: CP6
[...]

 
To enable deep scanning, follow the below steps:

FortiOS firmware version 4.0 MR3:
Go to Policy -> Protocol Options -> HTTPS -> Deep Scan -> Enable and select Apply to save the changes.

 
FortiOS firmware version 5.0.0:
Go 
to Policy -> SSL inspection -> HTTPS  port 443 -> Enable and select Apply to save the changes.
 
FortiOS firmware version 5.0.1 and higher:
Go 
to Policy -> UTM Proxy Options -> SSL inspection -> HTTPS  port 443 -> Enable and select Apply to save the changes

To avoid the warning message that pops up in the browser when using a custom certificate, a key, and a password will need to be loaded onto the FortiGate, and a certificate will have to be loaded into the PC's web browser.

To create a signed certificate and a key, OpenSSL software may be used: http://www.slproweb.com/products/Win32OpenSSL.html.
 
FortiOS firmware versions up to the latest branch 7.6, the deep-inspection profiles can be found under:
Security Profiles -> SSL/SSH Inspection.
 
There are two different options in this list, the default deep-inspection profile that cannot be edited but can be used under firewall policies, and the custom-deep-inspection that can be edited according to the requirements and used on the policies.
 
Check below:
 
SSL-SSH.PNG
 
And applied to the policy, it will look as follows:
 
Applied in policy.PNG

 

To avoid certificate errors on the end user's machine, the following certificate should be downloaded and installed on the end user's machine or the search engine:
 
Certificate download.PNG

 

Use the three commands listed on this website to create a certificate request, key file, and sign it. http://webdesign.about.com/od/ssl/ht/new_selfsigned.htm
 
Once these three commands are completed:
  1. Go to the System -> Certificates ->Local, and select Import.
  2. Set the Type to Certificate.
  3. Select the CRT and KEY files that were created and enter the passcode to upload the cert.
 
To have the FortiGate USE this certificate go to the CLI and use the following syntax:
 
config firewall ssl setting
    set caname (certificate filename)
end
 
Ensure to load the CRT file into the browser as trusted.

 

Related articles:

Technical Tip : SSL Inspection fails when FortiGate verifies the server certificate by its CA certif...

Troubleshooting Tip : Verifying server certificate on SSL Inspection

Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering