Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kashif_shaikh
New Contributor II

Created on ‎04-12-2023 02:28 PM

Deep inspection

  • Hi all,

 

I wanted to know in my fortigate firewall with fortios 7.0.11, if I am using app control profile in policy then deep packet inspection is required compulsory?

 

Issue : Actually I am having existing policy with app control with normal certificate inspection but I am getting intermittent issue in zoom meetings if I am using Dpi then too sometimes I am getting issue so if using Dpi then zoom need to be bypass from it?

Labels:
3050
0 Kudos
2 Solutions
Markus_M
Staff
Staff

Created on ‎04-12-2023 02:58 PM

Hi Kashif,

 

DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.

Alternatively explicit proxy might be worth a shot.

 

Best regards,

 

Markus

View solution in original post

3044
0 Kudos
Kashif_shaikh
New Contributor II
In response to Markus_M

Created on ‎04-12-2023 05:39 PM

Thanks @Markus_M 

View solution in original post

3033
0 Kudos
5 REPLIES 5
Markus_M
Staff
Staff

Created on ‎04-12-2023 02:58 PM

Hi Kashif,

 

DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.

Alternatively explicit proxy might be worth a shot.

 

Best regards,

 

Markus

3045
0 Kudos
Kashif_shaikh
New Contributor II
In response to Markus_M

Created on ‎04-12-2023 05:39 PM

Thanks @Markus_M 

3034
0 Kudos
Kashif_shaikh
New Contributor II
In response to Markus_M

Created on ‎04-12-2023 05:48 PM

@Markus_M ,if I am using Dpi in policy with app control and still getting intermittent issue for zoom.us the bypassing zoom.us will work?

3025
0 Kudos
rtichkule
Staff
Staff
In response to Kashif_shaikh

Created on ‎04-13-2023 01:20 AM

Hello Kashif,

 

You should put the Fortinet CA certificate in the end user machine's Trusted root CA directory, as this is necessary for the deep inspection to function properly.

In case you want to bypass zoom you can add it in the Application and Filter Override.

2980
0 Kudos
Markus_M
Staff
Staff
In response to Kashif_shaikh

Created on ‎04-17-2023 01:26 AM

You should be more specific with the issue you have.

If you have certificate warnings, then you need to import the CA certificate FortiGate uses for signing web server certificates, to the client. The warning will then go away.

Some applications do implement a security measure where the server tells the end station what certificate to expect inside TLS. Since the FortiGate signs the webserver traffic, the certificate will be unexpected and the traffic may not proceed. That is a security measure against man-in-the-middle attacks and some applications indeed may have to be excluded from DPI.

 

Best regards,

 

Markus

2935
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.