Created on 07-14-2009 02:52 PM Edited on 06-02-2022 09:40 AM
Description
FortiOS versions 4.0 MR3 and 5.0.x include a deep scanning option, that includes support for scanning encrypted protocols when used with Anti Virus and Webfilter Profiles. To run this security information, server and client certificates must be obtained. This article describes the basic steps needed to enable this feature.
Scope
Solution
To determine if a FortiGate unit supports the deep scanning, run the below command and verify ASIC version:
FGT # get hardware status
[...]
ASIC version: CP6
[...]
To enable deep scanning, follow the below steps:
FortiOS firmware version 4.0 MR3:
Go to Policy > Protocol Options > HTTPS > Deep Scan > Enable and select apply to save the changes.
Go to Policy > SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
Go to Policy > UTM Proxy Options >SSL inspection > HTTPS port 443> Enable and select apply to save the changes.
To avoid the warning message that pops up in the browser when using a custom certificate, a key and a password will need to be loaded onto the FortiGate, and a certificate will have to be loaded into the PCs web browser.
- Go to the System > Certificates > Local, and select Import.
- Set the Type to Certificate.
- Select the CRT and KEY files that were created and enter the passcode to upload the cert.
Related Articles
Troubleshooting Tip : Verifying server certificate on SSL Inspection
Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering
-
Anonymous