The same here, not a problem with editing an existing policy.

I upgraded from V5.0 build 4459 on a 60D I found this in the What' s New for FortiOS 5.2.0 guide. SSL Inspection There have been several changes to how SSL Inspection is handled on a FortiGate unit. Automatic Inspection When Security Profiles are Used If any security profile is used in a security policy, SSL inspection will automatically be enabled, at which point an SSL mode must be selected (see below for more details). HTTPS Scanning Without Deep Inspection The following changes have been made in order to allow HTTPS traffic to be scanned without enabling deep inspection: • There are now two modes for SSL inspection: certificate inspection (certificate-inspection in the CLI), which only inspects the SSL handshake, and deep inspection (deep-inspection in the CLI), which enables full deep inspection of SSL traffic (this was previously the default mode for SSL inspection). • The CLI command https-url-scan has been removed. • deep-inspection-options has been renamed ssl-ssh-profile. • The SSL inspect-all option and the https status option now have three states: disable, certificate-inspection, and deep-inspection. The status option for the other protocols now use deep-inspection instead of enabled. When a new policy or profile group is created, the SSL inspection profile certificate-inspection is automatically added. SSL/Deep Inspection Exemptions The options for configuring exemptions to SSL/Deep Inspection is now configured as part of the deep inspection options, rather than FortiGuard web filtering. Exemptions can be added to SSL inspection by going to Policy & Objects > Policy > SSL Inspection or through the CLI. Certain applications, such as iTunes and Dropbox, require a specific certificate to be used, rather than using the use the system' s certifciate store. Because of this, the default deep inspection profile, deep-inspection, has exemptions configured for these applications by default in FortiOS 5.2. Syntax config firewall ssl-ssh-profile edit <name> config ssl-exempt edit <id> set type {fortiguard-category | address | address6} set category <id> set address <string> end end end end

No he' s not 100% correct & he wasn' t 100% clear fwiw:Here' s a TIP if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabled Also take a look at profile-protocol-options also edit " noinspection1" config https set ports 443 set status disable end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end next end and you can re-edit the fwpolicy via the gui or cli and change the policy to one of the other inspection as required of a later date if you need inspection TESTFW01 (10) # show config firewall policy edit 1089 set uuid 7603f088-fce9-51e3-167d-df80cb5c7757 set srcintf " wifi" set dstintf " virtual-wan-link" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " skype_ports" set utm-status enable set logtraffic disable set profile-protocol-options " default" set ssl-ssh-profile " certificate-inspection" set traffic-shaper " guarantee-100kbps" set nat enable next end TESTFW01 (10) # set ssl-ssh-profile <string> please input string value certificate-inspection ssl-ssh-profile deep-inspection ssl-ssh-profile default ssl-ssh-profile noinspection ssl-ssh-profile noinspection1 ssl-ssh-profile TESTFW01 (10) # set ssl-ssh-profile noinspection1 TESTFW01 (10) # end and we can change the profile-prot-opts config firewall profile-protocol-options edit " nosinpection" config http set ports 80 set status disable set options no-content-summary unset post-lang end config ftp set ports 21 set status disable set options no-content-summary splice end config imap set ports 143 set status disable set options fragmail no-content-summary end config mapi set ports 135 set status disable set options fragmail no-content-summary end config pop3 set ports 110 set status disable set options fragmail no-content-summary end config smtp set ports 25 set status disable set options fragmail no-content-summary splice end config nntp set ports 119 set status disable set options no-content-summary splice end config dns set ports 53 set status disable end next end and then you apply this to the firewall policies(s) config firewall policy edit 1089 set profile-protocol-options " noinspection" end

Man you are really making this more harder than what it is. Just click the button in the oval screensshot , edit the profile and then disable ssl inspection if not required. If you enable application control, than the SSL inspection tab is greyed out. Not very hard or too much extra work or difficult or at least I don' t think so. If you don' t want SSL inspection messing anything up. Define the default with all items disable or create a noispection profile ( like mention above ) and apply the same logic. Once again a minor convenience, but really to much difficult or impacting. remember you need application controls enable for fortiview to identify Applications

I did the upgrade on bother of my production clusters (200D' s) in both sites. Crazy you say? Perhaps. I was in the " pick a bug" category of deciding what was most important. The devices have been essentially stable since the upgrade. The notes above on SSL inspection are important and that did bite me early on. One thing that is completely broken is generic IPsec connections from client devices (old Cisco clients, iOS devices). I had a tunnel config for that in place from pre-upgrade and it failed to work, i tried the wizard and that blew up the entire cluster. I tried to create it manually and things still wouldn' t connect. Wireless (i' m using 221Cs) is significantly more stable than it was under the " feature release" for 5.0.7 so that is good. It has not, however, fixed my main bug with IPSec tunnel performance (i' ll put that in a different thread). Memory usage is riding right at 80%, I expect that to improve a bit with 5.2.x. So... is it safe? Yes, is it perfect? Nope, same bag of tricks as previous releases.

I was disappointed to see that the ability to make DHCP reservations was removed from the WebUI in 5.2.0. In 5.0.x, it was simple to turn a bunch of leases into reservations, but I just had to do this all through CLI, where it is much easier to make a typo on a MAC address.