On a brand new deployment, I would like to start deploying web filtering. When applying the custom filter to the outbound policy, this requires SSL Inspection. Whether "Certificate-Inspection" or "deep-inspection" require browsers to have at certificate installed
As a test, I have manually installed on my browser the default "Fortinet_CA_SSL"
Is the installation of the Certificate really necessary?
Would it be a best practice to push this certificate to everyone or shall I create a new one? We do not have a CA server
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @hetag ,
Thank you for contacting the Fortinet Forum portal.
Generally, certificate inspection is used in flow-based inspection, and deep inspection is required when you are using proxy-based inspection and inspecting AV traffic, etc.,
article :
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/122078/deep-inspection
-In both, you need a certificate if you are doing inspection as below :
1. In certificate-inspection with certificate inspection you do not need a certificate to be installed if you are not inspecting all ports.
2. Certificate inspection with full SSL inspection you need a certificate to be installed.
3. Deep inspection is set to full SSL inspection by default, so you need a certificate to be installed.
refer below screenshot
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
basically you will need Deep Packet Inspection if you want to inspect more then http requests or certificates. IPS,AV,APC etc will need to look into your traffic and that requires DPI.
And DPI will require a CA or SubCA Certificate because of the way it works. It is basically a man-in-the-middel one so it needs to decrypt https traffic and then re-encrypt it before sending it on to the client. When it re-encrypts traffic it needs to keep the CommonName (CN) or/and SubjectAlternae Name(s) (SAN) in the certificate but cannot use the original one becuase it doesn't have the private key. So it needs to issue a new cert with thge oringinal cert's CN/SAN and for that it needs to have a CA or SubCA Certificate.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
As sw2090, already said:
within the Deep Packet Inspection the original Certificate will be replaced by the Firewall. This is a "must".
Because of that the Endpoint-Clients must trust the certification authority which is the Firewall. The Client must therefore be aware of the certificate of the issuing authority (Here: the Firewall) as Part of "Trusted Root Certification Authorities". If you don't have a PKI or a CA-Server there is no other way than to install the Firewalls CA-Certificate manually to the needed Clients
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
224 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.