Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bcote
New Contributor

Disable SSL/SSH Inspection in FortiOS 5.6

Hi all,

 

still in pre-production but I was wondering how I can turn off the now(since 5.6) forced SSL/SSH inspection. I know it is becoming more and more necessary, but for now, in our environment, it is causing us much more headaches than benefits. Eventually, we want to get there, but the time isn't now. I was told there is a way in the CLI to turn it off. I can't seem to find the right cookbook/Document explaining how. 

 

Anybody running 5.6 that might know where to look to get this turned off? All the info I can find dates back to 5.2 and the same commands don't apply to 5.6 anymore.

 

Any help will be greatly appreciated.

Ben

1 Solution
bstevens
New Contributor II

Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing.  Cert errors and web filter is now filtering out images that were not previously filtered.   If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well.  At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.

View solution in original post

15 REPLIES 15
MikePruett
Valued Contributor

ssl cert inspection is hurting you? I'm running 5.6 and it isn't forcing deep inspection.

hmtay_FTNT
Staff
Staff

Hi Ben,

 

There was another thread with the same question:

 

https://forum.fortinet.com/tm.aspx?tree=true&m=148779&mpage=1

 

In short: The basic certificate-inspection is not doing a MiTM. It only scans the SNI of the Client Hello and SSL Certificate. Thus, you will not run into any SSL errors or problems with decrypting the sessions. In the past, with the older FortiOS, when users can choose to disable it, it would cause signatures to not work on HTTPS sessions if disabled. 

 

Let's say we add a rule "www.facebook.com". Without enabling at least certificate-inspection, the rule will not work on https://www.facebook.com.

 

HoMing

bcote

Hey guys,

 

thanks for confirming this. I am planning a deployment for next weekend and it was one of the differences between my current installation and my new 1500D. I didn't want SSL Inspection to complicate the move to production. Ultimately, the goal will be to do Deep inspection at some point, simply not now.

 

Thanks again,

 

Ben

gsarica

5.6.0 completely broke deep inspection for us, it was working seamlessly on 5.4.3. I currently have a ticket open.

bstevens
New Contributor II

Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing.  Cert errors and web filter is now filtering out images that were not previously filtered.   If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well.  At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.

cblanco

Currently experiencing the same issue. Everything was working fine.

sebastan_bach

Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that. 

 

Regards

 

Sebastan

romanr

sebastan_bach wrote:

Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that. 

Hi,

 

actually I don't know what you guys have configured... 5.6.3 has some minor troubles here and there, but ssl inspection are doing their job (knowing that from quite some amount of boxes for a lot of customers...)

 

For NGFW firewall mode:

- Before using that, please get into the concepts first. NGFW mode is intended to MAINLY USE DEEP INSPECTION!

- If you complain, there is only one profile to select - think about why! The firewall needs to re-evaluate sessions after an application detection has happened. therefore it just cannot switch ssl profiles all the time, while processing traffic.

- If you are not fine with that - then NGFW mode might not fit your requirements - or your concept of using seems to go wrong.

 

And somehow offtopic - Providing some details on the running configuration and the troubles you run into, will help you to receive some support from others here.

 

Br,Roman

ZeroInterrupt

sebastan_bach wrote:

Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that. 

 

Regards

 

Sebastan

Do you have 'multiple security profiles' turned on under 'system->feature visibility->advanced features'?  I have and create multiple ssl inspection profiles.