Hi all,
still in pre-production but I was wondering how I can turn off the now(since 5.6) forced SSL/SSH inspection. I know it is becoming more and more necessary, but for now, in our environment, it is causing us much more headaches than benefits. Eventually, we want to get there, but the time isn't now. I was told there is a way in the CLI to turn it off. I can't seem to find the right cookbook/Document explaining how.
Anybody running 5.6 that might know where to look to get this turned off? All the info I can find dates back to 5.2 and the same commands don't apply to 5.6 anymore.
Any help will be greatly appreciated.
Ben
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing. Cert errors and web filter is now filtering out images that were not previously filtered. If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well. At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.
ssl cert inspection is hurting you? I'm running 5.6 and it isn't forcing deep inspection.
Mike Pruett
Hi Ben,
There was another thread with the same question:
https://forum.fortinet.com/tm.aspx?tree=true&m=148779&mpage=1
In short: The basic certificate-inspection is not doing a MiTM. It only scans the SNI of the Client Hello and SSL Certificate. Thus, you will not run into any SSL errors or problems with decrypting the sessions. In the past, with the older FortiOS, when users can choose to disable it, it would cause signatures to not work on HTTPS sessions if disabled.
Let's say we add a rule "www.facebook.com". Without enabling at least certificate-inspection, the rule will not work on https://www.facebook.com.
HoMing
Hey guys,
thanks for confirming this. I am planning a deployment for next weekend and it was one of the differences between my current installation and my new 1500D. I didn't want SSL Inspection to complicate the move to production. Ultimately, the goal will be to do Deep inspection at some point, simply not now.
Thanks again,
Ben
5.6.0 completely broke deep inspection for us, it was working seamlessly on 5.4.3. I currently have a ticket open.
Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing. Cert errors and web filter is now filtering out images that were not previously filtered. If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well. At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.
Currently experiencing the same issue. Everything was working fine.
Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that.
Regards
Sebastan
sebastan_bach wrote:Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that.
Hi,
actually I don't know what you guys have configured... 5.6.3 has some minor troubles here and there, but ssl inspection are doing their job (knowing that from quite some amount of boxes for a lot of customers...)
For NGFW firewall mode:
- Before using that, please get into the concepts first. NGFW mode is intended to MAINLY USE DEEP INSPECTION!
- If you complain, there is only one profile to select - think about why! The firewall needs to re-evaluate sessions after an application detection has happened. therefore it just cannot switch ssl profiles all the time, while processing traffic.
- If you are not fine with that - then NGFW mode might not fit your requirements - or your concept of using seems to go wrong.
And somehow offtopic - Providing some details on the running configuration and the troubles you run into, will help you to receive some support from others here.
Br,Roman
sebastan_bach wrote:Don't use 5.6 at all. its a pathetic release with poor QA job. If you are in NGFW mode in 5.6 then you are more affected as there can be only a single SSL inspection profile and that will be applied to all the firewall rules, so how great is that.
Regards
Sebastan
Do you have 'multiple security profiles' turned on under 'system->feature visibility->advanced features'? I have and create multiple ssl inspection profiles.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.