Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adash_FTNT
Staff
Staff

Created on ‎10-15-2014 03:33 AM Edited on ‎05-30-2025 06:23 AM By Community Manager

Article Id 193892

Technical Tip: How to enable SSL Inspection from CLI and apply it to a policy

Description

 
This article describes how to enable SSL Inspection in the CLI and how to apply it on a policy.


Scope

 
FortiGate.


Solution

 
  1. Add a custom SSL inspection profile 'new-deep-inspection' and enable inspection for all ports. Log in to the FortiGate using cthe ommand line and run the following commands.
 
config firewall ssl-ssh-profile
    edit new-deep-inspection
        config ssl
            set inspect-all deep-inspection
        next
    end
end

 

 
The following commands can be run to view the configuration of the 'new-deep-inspection' profile.
 
config firewall ssl-ssh-profile
    edit new-deep-inspection
        show full-configuration
 
2. Apply SSL inspection profile on Policy. Run the following commands:
 
config firewall policy
    edit [policy_id]
        set ssl-ssh-profile new-deep-inspection
    next
end
 
Note:
After enabling SSL deep inspection, it is necessary to import the certificates on the browsers to avoid getting a 'certificate error'. This is described in Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryp....

If this does not work, import the 'fortinet_CA' certificate that is available under Certificates -> CA certificates, clear the browser cache and cookies, and then restart the browser.
 
Additional note:

While it might have been possible to previously edit the default security profiles for some different FortiGate models, it is no longer possible to do this now.

In this case, as the default profiles cannot be edited according to expectations, a clone of any of these profiles can be created and used.

For example, select the deep-inspection profile as seen, and then select Clone on top:

 

Deep-inspection clone.PNG

 

To clone in the CLI: 

 

config firewall ssl-ssh-profile

    clone <existing_profile_name> to <new_profile_name>

end 

 

The following profile will be created:

 

Clone created.PNG

 

On the firewall policy, the option will be visible under SSL Inspection and can be selected:

 

Policy.PNG

 

The view of the firewall policy will be:

 

Policy2.PNG

 

On the CLI:

 

config firewall policy

    edit 1

        set ssl-ssh-profile "Clone of custom-deep-inspection"

    next

end

 

The security profile can be renamed, it does not need to keep the name 'Clone...'.

 

Related article:

Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryp...

35341
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.