| Description | This article explains how the SSL Deep Inspection behaves in FortiGate and how it is correctly activated. |
| Scope |
FortiGate. |
| Solution |
This example assumes a user is attempting to implement an SSL Deep Inspection for the first time.
In this case, the SSL Deep Inspection does not work as intended because the user still receives the original certificate from the website.
To activate the SSL Deep Inspection, it is necessary to enable at least one of the security profiles. This can be Webfilter, Application Control, Antivirus, or IPS.
Note: Enabling the DNS filter will not activate the SSL Deep Inspection.
For example, after enabling the Web filter, the deep inspection feature can be activated:
FortiGate has now activated the deep inspection:
Note: When deep inspection via a proxy policy combined with an application-control UTM profile (for example, to allow WeTransfer) fails, verify whether the policy destination is restricted to a specific FQDN. Many applications use multiple or dynamic IPs, so restricting by FQDN can cause failures. To fix this, set the policy destination to ALL (or Any) so traffic to all resolved IP addresses is permitted. |
