Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LaurentDumont
New Contributor

80C - Enabling SSL Inspection

Hey everyone,

Currently attempting to enable SSL inspection/MITM on a 80C and it doesn't seem to be working.

[ul]
  • I have a single FW rule for the outgoing NAT traffic.
  • I don't see the FGT certificate being presented to hosts browsing HTTPS sites behind the FW. I am seeing the traffic hitting the correct policy.
  • It doesn't have a license. It's just for testing stuff in a lab.
  • Running v5.6.3 build1547 (GA)[/ul]

    Relevant configurations : Security profile : https://i.imgur.com/lT5y8aL.png FW rule with applied profile : https://i.imgur.com/u3OwQAw.png Traffic hitting the FW and the correct policy : https://i.imgur.com/Pvx5pPC.png

    Is the SSL inspection feature behind the paid license? Anything else I could try to properly tshoot this?

    Let me know if there is anything else I can provide.

    Thanks!

  • 1 Solution
    orani
    Contributor II

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    Orestis Nikolaidis

    Network Engineer/IT Administrator

    View solution in original post

    Orestis Nikolaidis Network Engineer/IT Administrator
    2 REPLIES 2
    orani
    Contributor II

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    Orestis Nikolaidis

    Network Engineer/IT Administrator

    Orestis Nikolaidis Network Engineer/IT Administrator
    LaurentDumont

    orani wrote:

    What do you mean that it is not working.

    You have to use SSL inspection with some other security profiles such as IPS or Web Filter.

    That was it! I tried with a dummy web filter and it does intercept the SSL traffic now.

     

    I am now trying to dump the decrypted SSL traffic. I've bolded the relevant commands. That said, I am not seeing any traffic on that interface. Anything else I should try?

     

    FGT-LAURENT-DREAMHACK # show firewall policy 1 config firewall policy edit 1 set name "ssl-inspection" set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set ssl-mirror enable set ssl-mirror-intf "wan2" set webfilter-profile "web-filter-flow" set profile-protocol-options "default" set ssl-ssh-profile "test-all" set nat enable next end

     

    Thanks!

    Top Kudoed Authors