Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hetag
New Contributor

Created on ‎08-03-2024 09:53 PM

Certificate recommendations

On a brand new deployment, I would like to start deploying web filtering. When applying the custom filter to the outbound policy, this requires SSL Inspection. Whether "Certificate-Inspection" or "deep-inspection" require browsers to have at certificate installed

As a test, I have manually installed on my browser the default "Fortinet_CA_SSL"

Is the installation of the Certificate really necessary?

Would it be a best practice to push this certificate to everyone or shall I create a new one? We do not have a CA server

router login 192.168.l.l
router login 192.168.l.l
Labels:
517
0 Kudos
3 REPLIES 3
mpeddalla
Staff
Staff

Created on ‎08-04-2024 05:07 AM

Hello @hetag  ,

 

Thank you for contacting the Fortinet Forum portal.

Generally, certificate inspection is used in flow-based inspection, and deep inspection is required when you are using proxy-based inspection and inspecting AV traffic, etc.,

article :

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/505842/certificate-inspectio...

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/122078/deep-inspection

-In both, you need a certificate if you are doing inspection as below :

https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...

 

1. In certificate-inspection with certificate inspection you do not need a certificate to be installed if you are not inspecting all ports.

2. Certificate inspection with full SSL inspection you need a certificate to be installed.

3. Deep inspection is set to full SSL inspection by default, so you need a certificate to be installed.

 

refer below screenshotcertificateforum.PNG

 

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

Manasa
477
sw2090
SuperUser
SuperUser

Created on ‎08-05-2024 05:00 AM

basically you will need Deep Packet Inspection if you want to inspect more then http requests or certificates. IPS,AV,APC etc will need to look into your traffic and that requires DPI. 

And DPI will require a CA or SubCA Certificate because of the way it works. It is basically a man-in-the-middel one so it needs to decrypt https traffic and then re-encrypt it before sending it on to the client. When it re-encrypts traffic it needs to keep the CommonName (CN) or/and SubjectAlternae Name(s) (SAN)  in the certificate but cannot use the original one becuase it doesn't have the private key.  So it needs to issue a new cert with thge oringinal cert's CN/SAN and for that it needs to have a CA or SubCA Certificate.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
452
WFF-Master
New Contributor II

Created on ‎08-05-2024 05:54 AM

As sw2090, already said:
within the Deep Packet Inspection the original Certificate will be replaced by the Firewall. This is a "must".
Because of that the Endpoint-Clients must trust the certification authority which is the Firewall. The Client must therefore be aware of the certificate of the issuing authority  (Here: the Firewall) as Part of "Trusted Root Certification Authorities". If you don't have a PKI or a CA-Server there is no other way than to install the Firewalls CA-Certificate manually to the needed Clients

442
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.