Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎04-24-2020 01:19 AM Edited on ‎11-19-2024 07:53 AM By Moderator

Article Id 196840

Technical Tip: How to enable deep inspection and import a certificate in the browser

Description

 

This article describes how to enable a deep inspection profile in the Firewall Policy and import the certificate in the browser to avoid certificate warnings.

 

Scope

 

FortiGate.

Solution


When in the policy multiple security profiles is being added and a full SSL inspection or 'deep-inspection' profile is required to be used a message will be shown in the policy that the endpoint user may experience a certificate warning. To get rid of the warning the certificate that is being used in the security profile in SSL & SSH inspection needed to be installed in the trusted root certificate store of the endpoint.

As the full SSL inspection certificate mostly requires a certificate generated by private CA the browser might not trust the certificate that is being used for the inspection which leads to the work of inserting it into the trusted root certificate on the workstation.

Here is an example of the error that  can appear in the browser for a certificate that is not trusted and is being used for full SSL inspection:

addcert1.jpg

 

 



To import the built-in certificate (Fortinet_CA_SSL) to the browser:
 
  1. On the FortiGate, go to Security Profiles -> SSL/SSH Inspection and select 'deep-inspection'.
  2. The default CA Certificate is Fortinet_CA_SSL.
  3. Select 'Download'.

deep.PNG

  

  1. On the user's computer, select the downloaded certificate file and select 'Open'.
  2. Select 'Install Certificate' to launch the certificate import wizard and use the wizard to install the certificate into the trusted root certificate authorities store.
 
install.png
local-mach.png
cert store.png
If a security warning appears, select 'Yes' to install the certificate.

Note:
Install a certificate with trusted root authority only.
 
policy4.PNG

 

The image above explains the steps to enable deep inspection in the Firewall Policy.
 
These steps are as follows:
 
  1. On the FortiGate, go to Policy & Objects -> IPv4 Policy and edit the policy. Starting from FortiOS 6.4.0, it is under Policy & Objects -> Firewall Policy.
  2. Under the section 'SSL Inspection', select 'deep-inspection'.
  3. Select OK to save the changes.

Refer to this document for more information:

Obtain, setup, and download an SSL certificate package from a certificate authority

 

Continuing the Importing Certificate section:

 

Import the signed certificate into your FortiGate.png

  1. Upload the local certificate file, then select OK.
  2. The status of the certificate will change from PENDING to OK.
  3. Select Import -> CA Certificate.
  4. Set the Type to File, upload the CA certificate file, and then select OK.

    The CA certificate will be listed in the CA Certificates section of the certificates list.


Important Note:

Deep inspection only works if there is at lest one Security Profile enabled. Without a Security Profile enabled, deep inspection is not triggered.

Related articles: 
Technical Tip: How to import the CA certificate for full SSL inspection

Technical Tip: Installing Private CA for Deep inspection

33944
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.