Description | This article describes what are the requirements for deep inspection and how to use a private CA for Deep inspection. |
Scope | FortiGate. |
Solution |
Oftentimes time, it is necessary to implement a deep inspection of the Environment. In the deep inspection profile, there is always a requirement to select a certificate. Most of the time, the certificate that is used here is simply a Local certificate which contains the private key and public key that are often installed for the SSL VPN. However, this certificate will not be able to be used for the deep inspections. It will not even be possible to see the option to select those certificates. The reason is, that this is not the correct type of certificate needed for the deep inspection. In order to use the certificate for the deep inspection the type of the certificate needs to be private CA. A private CA is the type of certificate that can issue a certificate to others. The X509v3 Basic Constraints CA: True.
To not use the Fortinet_CA_SSL certificate, it is possible to install the own Private_CA certificate for the internal network:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/122078/deep-inspection
If any issues are experienced, feel free to contact the TAC. |
During certificate inspection of blocked websites, users may encounter security warnings regarding the validity of the presented certificates. As outlined in this article, the implementation of a private Certificate Authority (CA) effectively mitigates these warnings, ensuring a consistent and secure user experience.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.