FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adash_FTNT
Staff
Staff
Article Id 193892

Description

 

This article explains the process of enabling SSL inspection or deep inspection through the CLI and how to implement it within a policy.
 
Scope
 
FortiGate.


Solution

 

To add a custom SSL deep inspection profile 'new-deep-inspection', on the CLI console on the FortiGate, run the commands below. 

 
config firewall ssl-ssh-profile
    edit new-deep-inspection
        config ssl
            set inspect-all deep-inspection
        next
    end
end
 
Note: This will enable the inspection for all ports. SSL Deep Inspection applies to all encrypted traffic (HTTPS, SMTPS, IMAPS, POP3S, FTPS, etc.) regardless of port, as long as the policy uses that profile.
 
 

The following commands can be run to view the configuration of the 'new-deep-inspection' profile.

 
config firewall ssl-ssh-profile
    edit new-deep-inspection
        show full-configuration
 
Apply SSL inspection profile on Policy by run the commands below:
 
config firewall policy
    edit [policy_id]
        set ssl-ssh-profile new-deep-inspection
    next
end
 
Note:
 

To avoid the 'certificate error' when enabling the "Deep inspection", note that:

 

  • Either import a trusted CA certificate into FortiGate.

  • Or generate a CA on FortiGate or download the FortiGate's certificate and install it on all client devices as trusted.

This is described in:
Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryp....

If that does not work, the certifiacte 'fortinet_CA' has to be imported under Certificates -> CA certificates. Clear the browser cache and cookies, and then restart the browser.
 
 
Additional note:
 

Previously, on older FortiOS versions (7.0), default SSL/SSH inspection profiles (like certificate-inspection or deep-inspection) were able to be modified directly. However, in more recent FortiOS releases, default security profiles are locked in read-only mode for consistency and security.

 

To customize these settings, the profile  must be cloned from a default profile. This process will allow personalized security configurations without risking the integrity of the built-in, pre-defined profiles. 

 

For example, choose the deep-inspection profile as shown below, and then hit the Clone button at the top:

 

Deep-inspection clone.PNG

 

See how to clone a deep-inspection profile via CLI: 

 

config firewall ssl-ssh-profile

    clone <existing_profile_name> to <new_profile_name>

end 

 

The profile will be created as shown below:

 

Clone created.PNG

 

In the firewall policy, the profile option will show in the SSL deep Inspection drop-down menu as shown below: 

 

Policy.PNG

 

The SSL deep Inspection profile will be visible on the Policy list as below:

 

Policy2.PNG

 

On the CLI:

 

config firewall policy

    edit 1

        set ssl-ssh-profile "Clone of custom-deep-inspection"

    next

end

 

Also note that the security profile can be renamed, it does not need to keep the name 'Clone'.

 

Key notes:

  • Without CA installation: Clients/Host will see certificate errors for all inspected traffic.

  • Exemptions: For banking or government sites, add exceptions under SSL/SSH Profile -> Exemptions might be required.

  • Performance Impact: Deep inspection can be CPU-intensive on high traffic networks.

 

Related articles:

Troubleshooting Tip: 'Certificate is not a CA file' when importing a CA certificate in FortiGate

Technical Tip: Configuring Inbound SSL Deep Inspection

Technical Tip: How to check which application requires deep SSL inspection under Application Control

Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection

Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection

Technical Tip: How to configure wildcard-FQDN custom and group

Technical Tip: Exempting certain categories from SSL inspection