Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kashif_shaikh
New Contributor II

Deep inspection

  • Hi all,

 

I wanted to know in my fortigate firewall with fortios 7.0.11, if I am using app control profile in policy then deep packet inspection is required compulsory?

 

Issue : Actually I am having existing policy with app control with normal certificate inspection but I am getting intermittent issue in zoom meetings if I am using Dpi then too sometimes I am getting issue so if using Dpi then zoom need to be bypass from it?

2 Solutions
Markus_M
Staff
Staff

Hi Kashif,

 

DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.

Alternatively explicit proxy might be worth a shot.

 

Best regards,

 

Markus

View solution in original post

Kashif_shaikh

5 REPLIES 5
Markus_M
Staff
Staff

Hi Kashif,

 

DPI is kind of required. The reason is that the App control etc are working on the readable traffic/destination addresses etc inside the traffic. DPI ensure that fgt can actually read it. If we cannot read or only the TLS tunnel headers prior encrypting the whole stream, we cannot act on the encrypted traffic.

Alternatively explicit proxy might be worth a shot.

 

Best regards,

 

Markus

Kashif_shaikh

Thanks @Markus_M 

Kashif_shaikh

@Markus_M ,if I am using Dpi in policy with app control and still getting intermittent issue for zoom.us the bypassing zoom.us will work?

rtichkule

Hello Kashif,

 

You should put the Fortinet CA certificate in the end user machine's Trusted root CA directory, as this is necessary for the deep inspection to function properly.

In case you want to bypass zoom you can add it in the Application and Filter Override.

Markus_M

You should be more specific with the issue you have.

If you have certificate warnings, then you need to import the CA certificate FortiGate uses for signing web server certificates, to the client. The warning will then go away.

Some applications do implement a security measure where the server tells the end station what certificate to expect inside TLS. Since the FortiGate signs the webserver traffic, the certificate will be unexpected and the traffic may not proceed. That is a security measure against man-in-the-middle attacks and some applications indeed may have to be excluded from DPI.

 

Best regards,

 

Markus

Labels
Top Kudoed Authors