Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LaurentDumont
New Contributor

Created on ‎08-19-2019 06:12 PM

80C - Enabling SSL Inspection

Hey everyone,

Currently attempting to enable SSL inspection/MITM on a 80C and it doesn't seem to be working.

[ul]
  • I have a single FW rule for the outgoing NAT traffic.
  • I don't see the FGT certificate being presented to hosts browsing HTTPS sites behind the FW. I am seeing the traffic hitting the correct policy.
  • It doesn't have a license. It's just for testing stuff in a lab.
  • Running v5.6.3 build1547 (GA)[/ul]

    Relevant configurations : Security profile : https://i.imgur.com/lT5y8aL.png FW rule with applied profile : https://i.imgur.com/u3OwQAw.png Traffic hitting the FW and the correct policy : https://i.imgur.com/Pvx5pPC.png

    Is the SSL inspection feature behind the paid license? Anything else I could try to properly tshoot this?

    Let me know if there is anything else I can provide.

    Thanks!

    • 2784
    0 Kudos
    1 Solution
    orani
    Contributor II

    Created on ‎08-19-2019 10:22 PM

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    Orestis Nikolaidis

    Network Engineer/IT Administrator

    View solution in original post

    Orestis Nikolaidis Network Engineer/IT Administrator
    1691
    0 Kudos
    2 REPLIES 2
    orani
    Contributor II

    Created on ‎08-19-2019 10:22 PM

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    Orestis Nikolaidis

    Network Engineer/IT Administrator

    Orestis Nikolaidis Network Engineer/IT Administrator
    1692
    0 Kudos
    LaurentDumont
    New Contributor
    In response to orani

    Created on ‎08-20-2019 06:40 PM

    orani wrote:

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    That was it! I tried with a dummy web filter and it does intercept the SSL traffic now.

     

    I am now trying to dump the decrypted SSL traffic. I've bolded the relevant commands. That said, I am not seeing any traffic on that interface. Anything else I should try?

     

    FGT-LAURENT-DREAMHACK # show firewall policy 1 config firewall policy edit 1 set name "ssl-inspection" set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set ssl-mirror enable set ssl-mirror-intf "wan2" set webfilter-profile "web-filter-flow" set profile-protocol-options "default" set ssl-ssh-profile "test-all" set nat enable next end

     

    Thanks!

    1648
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.