Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
montyadams
Staff
Staff

Created on ‎05-20-2025 11:47 PM Edited on ‎05-26-2025 06:48 AM By Moderator

Article Id 392810

Technical Tip: SSL and TLS for Dummies

Description

 

This article describes the purpose of SSL (Secure Sockets Layer) and TLS (Transport Layer Security), their role in network security, and the importance of using Fully Qualified Domain Names (FQDNs) over IP addresses for secure communications and SSL/TLS inspection by FortiGate firewalls.

 

Scope

 

FortiGate.

 

Solution

 

SSL and TLS:

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to secure communications over the Internet. TLS is the more recent and secure protocol, although the term SSL is still commonly used generically.

 

HTTPS vs HTTP:

 

Protocol Secure? Uses SSL/TLS? Browser Display
http:// No No No padlock
https:// Yes Yes Padlock

 

Verification of the browser that the certificate belongs to the site.

There are two fields the browser looks at to verify if the certificate belongs to the site.
The preferred field is the Common Name (CN). This is the most common field for this purpose, although it acts the same way as the SAN.
The other field used for this is the Subject Alternate Name (SAN). This is used to have the same certificate on multiple domains.
It's also possible to use an IP Address in this field, instead of a domain. As long as the URL matches at least one of these fields, the domain/IP matches with the certificate.

 

It is best practice to use an FQDN, even though IP addresses will work and have no security concerns.
Most certificates will only have the FQDN and not the IP address, so a cert error may be seen.

 

FortiGate and SSL/TLS:

FortiGates can inspect encrypted traffic using SSL Inspection to detect threats hidden in HTTPS sessions.

  • Certificate Inspection: Validates server certificates without decrypting the session.
  • Full SSL Inspection: Decrypts, scans, and re-encrypts traffic to ensure security.

 

Note:

Certain services, such as banking or backup applications, should be excluded from Full SSL Inspection to prevent disruption or data corruption.

 

SSL/TLS Best Practices:

  • Use https:// for all secure connections.
  • Avoid using IP addresses in SSL/TLS-enabled applications.
  • Ensure all devices support current TLS versions.
  • Do not bypass certificate warnings in browsers or applications.

 

Conclusion:

SSL and TLS protocols are essential for protecting data in transit. Their effectiveness depends on proper implementation and adherence to best practices, including using FQDNs instead of IP addresses. FQDNs ensure proper validation, inspection, and scalability across modern networks secured by FortiGate firewalls.

 

Related documents:

Fortinet SSL Inspection Guide

What is TLS? (Cloudflare)

How HTTPS Works (Let’s Encrypt)

1027
Suggest New Article
Article Feedback
Comments
GILMENDO
Staff & Editor
Staff & Editor
‎05-23-2025 05:48 PM

great job thank you Monty!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.