Description
This article explains the process of enabling SSL inspection or deep inspection through the CLI and how to implement it within a policy.
Scope
FortiGate.
Solution
To add a custom SSL deep inspection profile 'new-deep-inspection', on the CLI console on the FortiGate, run the commands below.
config firewall ssl-ssh-profile
edit new-deep-inspection
config ssl
set inspect-all deep-inspection
next
end
end
Note: This will enable the inspection for all ports. SSL Deep Inspection applies to all encrypted traffic (HTTPS, SMTPS, IMAPS, POP3S, FTPS, etc.) regardless of port, as long as the policy uses that profile.
The following commands can be run to view the configuration of the 'new-deep-inspection' profile.
config firewall ssl-ssh-profile
edit new-deep-inspection
show full-configuration
Apply SSL inspection profile on Policy by run the commands below:
config firewall policy
edit [policy_id]
set ssl-ssh-profile new-deep-inspection
next
end
end
Note:
To avoid the 'certificate error' when enabling the "Deep inspection", note that:
-
Either import a trusted CA certificate into FortiGate.
-
Or generate a CA on FortiGate or download the FortiGate's certificate and install it on all client devices as trusted.
This is described in:
Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryp....
If that does not work, the certifiacte 'fortinet_CA' has to be imported under Certificates -> CA certificates. Clear the browser cache and cookies, and then restart the browser.
If that does not work, the certifiacte 'fortinet_CA' has to be imported under Certificates -> CA certificates. Clear the browser cache and cookies, and then restart the browser.
Additional note:
Previously, on older FortiOS versions (7.0), default SSL/SSH inspection profiles (like certificate-inspection or deep-inspection) were able to be modified directly. However, in more recent FortiOS releases, default security profiles are locked in read-only mode for consistency and security.
To customize these settings, the profile must be cloned from a default profile. This process will allow personalized security configurations without risking the integrity of the built-in, pre-defined profiles.
For example, choose the deep-inspection profile as shown below, and then hit the Clone button at the top:
See how to clone a deep-inspection profile via CLI:
config firewall ssl-ssh-profile
clone <existing_profile_name> to <new_profile_name>
end
The profile will be created as shown below:
In the firewall policy, the profile option will show in the SSL deep Inspection drop-down menu as shown below:
The SSL deep Inspection profile will be visible on the Policy list as below:
On the CLI:
config firewall policy
edit 1
set ssl-ssh-profile "Clone of custom-deep-inspection"
next
end
Also note that the security profile can be renamed, it does not need to keep the name 'Clone'.
Key notes:
-
Without CA installation: Clients/Host will see certificate errors for all inspected traffic.
-
Exemptions: For banking or government sites, add exceptions under SSL/SSH Profile -> Exemptions might be required.
-
Performance Impact: Deep inspection can be CPU-intensive on high traffic networks.
Related articles:
Troubleshooting Tip: 'Certificate is not a CA file' when importing a CA certificate in FortiGate
Technical Tip: Configuring Inbound SSL Deep Inspection
Technical Tip: How to check which application requires deep SSL inspection under Application Control
Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection
Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection
Technical Tip: How to configure wildcard-FQDN custom and group
Technical Tip: Exempting certain categories from SSL inspection
