Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ag611
New Contributor

Created on ‎07-04-2018 01:42 PM

Testing SSL Deep Inspection

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.

I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.

 

I've created an IPV4 policy under "data (internal1) -> SD-WAN":

[ul]
  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection[/ul]

    But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.

    Is there something wrong with my policy that's causing it to not produce errors on this workstation?

     

    When I look at traffic logs, I can see that my policy, #24, is applying.

    • 21951
    0 Kudos
    5 REPLIES 5
    emnoc
    Esteemed Contributor III

    Created on ‎07-04-2018 02:52 PM

    I  wrote this up as a sure 100%  way to  know SSL inspection

    http://socpuppet.blogspot.com/2018/05/av-with-https-inspection-fortios.html

     

    But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    6769
    0 Kudos
    ede_pfau
    SuperUser
    SuperUser
    In response to emnoc

    Created on ‎07-05-2018 03:03 AM

    Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?

    Ede Kernel panic: Aiee, killing interrupt handler!
    Ede Kernel panic: Aiee, killing interrupt handler!
    6769
    0 Kudos
    ag611
    New Contributor
    In response to ede_pfau

    Created on ‎07-05-2018 05:42 AM

    Enable SSL Inspection of: Multiple clients connecting to multiple servers

     

    Inspection method: Full

     

    CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)

     

    Untrusted SSL Certificates: Allow

     

    RPC over HTTPS: Disabled

     

    Inspecting HTTPS, SMTPS, POP3S, IMAPS, FTPS

     

    Exempt from SSL Inspection: reputable websites disabled.

     

    Allow invalid ssl certificates: disabled

     

    Log SSL anomalies: enabled

    6769
    0 Kudos
    mrhodes
    New Contributor
    In response to ag611

    Created on ‎09-27-2018 12:45 PM

    If I am not mistaken - applying SSH profile won't do anything on its own  - it only comes into play when another policy like Anti-virus or Web filter is also being looked at.  So you would also need your web filter policy applied to that rule for the SSH Inspection to occur when browsing to an Https site

    6769
    0 Kudos
    Tom_Spelda
    New Contributor

    Created on ‎03-19-2019 07:24 AM

    I am experiencing the same thing with my Fortigate 1200D.  Google has knowledge base article: https://support.google.com/chrome/a/answer/3504943?hl=en&ref_topic=3504941  

    where inside are useful tests for chromebooks and a note on how the chromebooks require a PEM based certificate.

    I opened a ticket with Fortinet support.

    6769
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.