Created on
10-15-2014
03:33 AM
Edited on
09-29-2025
12:07 PM
By
Stephen_G
Description
Solution
To add a custom SSL deep inspection profile 'new-deep-inspection', on the CLI console on the FortiGate, run the commands below.
The following commands can be run to view the configuration of the 'new-deep-inspection' profile.
To avoid the 'certificate error' when enabling the "Deep inspection", note that:
Either import a trusted CA certificate into FortiGate.
Or generate a CA on FortiGate or download the FortiGate's certificate and install it on all client devices as trusted.
Previously, on older FortiOS versions (7.0), default SSL/SSH inspection profiles (like certificate-inspection or deep-inspection) were able to be modified directly. However, in more recent FortiOS releases, default security profiles are locked in read-only mode for consistency and security.
To customize these settings, the profile must be cloned from a default profile. This process will allow personalized security configurations without risking the integrity of the built-in, pre-defined profiles.
For example, choose the deep-inspection profile as shown below, and then hit the Clone button at the top:
See how to clone a deep-inspection profile via CLI:
config firewall ssl-ssh-profile
clone <existing_profile_name> to <new_profile_name>
end
The profile will be created as shown below:
In the firewall policy, the profile option will show in the SSL deep Inspection drop-down menu as shown below:
The SSL deep Inspection profile will be visible on the Policy list as below:
On the CLI:
config firewall policy
edit 1
set ssl-ssh-profile "Clone of custom-deep-inspection"
next
end
Also note that the security profile can be renamed, it does not need to keep the name 'Clone'.
Key notes:
Without CA installation: Clients/Host will see certificate errors for all inspected traffic.
Exemptions: For banking or government sites, add exceptions under SSL/SSH Profile -> Exemptions might be required.
Performance Impact: Deep inspection can be CPU-intensive on high traffic networks.
Related articles:
Troubleshooting Tip: 'Certificate is not a CA file' when importing a CA certificate in FortiGate
Technical Tip: Configuring Inbound SSL Deep Inspection
Technical Tip: How to check which application requires deep SSL inspection under Application Control
Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection
Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection
Technical Tip: How to configure wildcard-FQDN custom and group
Technical Tip: Exempting certain categories from SSL inspection
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.