Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amatteo78
New Contributor

disabled SSL inspection

Hello,

 

I don't understand how I can disabled SSL when Web Filter is enable. I can't swich off. I can only switch off if I disabled web filter. Have you some idea ? I have Fortigate v. 5.2.1build618 (virtual appliance).

Thanks

 

M.

10 REPLIES 10
techevo
New Contributor

Hi,

   

   In your policy under ssl/ssh inspection, select profile certificate inspection it will disable the "man in the middle" ssl inspection and only inspect the certificate and it will stop your ssl error in the web browser.  SSL inspection is a good thing so you should be looking at deploying a certificate on the workstation in order to effectivelly use the full sll inspection.

 

If for some reason the "certificate inspection" profile was deleted you can create one under

 

   Under Policy & objects - Policy - SSL/SSH Inspection

 

 

amatteo78

techevo wrote:

Hi,

   

   In your policy under ssl/ssh inspection, select profile certificate inspection it will disable the "man in the middle" ssl inspection and only inspect the certificate and it will stop your ssl error in the web browser.  SSL inspection is a good thing so you should be looking at deploying a certificate on the workstation in order to effectivelly use the full sll inspection.

 

If for some reason the "certificate inspection" profile was deleted you can create one under

 

   Under Policy & objects - Policy - SSL/SSH Inspection

 

 

Hello,

I set "certificate-inspection" but I have problem when I try see web as Facebook... I explain, if I accept Facebook, no problem, If I block it, I receive error and not Fortinet block page, normally I see it when I try surf on block website.

Any idea ??

 

Thanks

 

M.

Bromont_FTNT

 

Even when you use certificate inspection when the Fortigate displays the blocked page message, that page must be HTTPS, there is no way around this as the browser is expecting HTTPS, the Fortigate uses it's certificate for the blocked page.

amatteo78

Can I disable from the Policy IPv4 the SSL Inspection ? in this moment it's enable auto when I enable web filter, and I can't disable.

 

M.

vmartin_FTNT
Staff
Staff

The ability to disable SSL/SSH inspection when using a security profile was added in 5.2.1, as noted on page 16 of the What's New guide (http://docs.fortinet.com/uploaded/files/1912/PDF.pdf).  You can disable inspection in the CLI, not the web-based manager.

 

config firewall policy   edit <id>     unset ssl-ssh-profile   end end   I just tested this and it does work; however, I noticed that when you view the policy in the web-based manager, it will show SSL inspection as enabled. However, using the show command in the CLI confirmed that it was disabled.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

Fr34k11
New Contributor

Hi,

You can disable the SSH inspection in the GUI. If you are on the page where you view all your policies (section view or global view) if you right click on the SSH profile you will get a menu and you can select remove profile there.

 

 

 

But here is another problem and I do hope they sort this one out because it's annoying. When you go into the rule itself and you change something like source address or the service or anything that has nothing to with UTM, in fact now that i think about it you don't even have to change anything, as soon as you click the OK button the SSL Inspection profile is back. Even if you turn it off in the CLI.

If you open the rule in the GUI and click OK, SSL is back.

 

Anyway hope the tip helps to clean out those pesky ssl profiles :)

 

 

- FortiFr34k11

- FortiFr34k11
vmartin_FTNT
Staff
Staff

A bug has been made about the issue and is being worked on for future FortiOS releases.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

is-office

I am facing a similar issue on v6.0.2. On our enterprise portal instead of displaying the ssl CA which we bought, all browsers are pointing to the firewall s/n there by making the connection unsecured. Please how can this be resolved?

Alex-Farias

Same problem here...did you manage to workaround this problem?

Labels
Top Kudoed Authors