Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VicAndr
New Contributor III

FortiOS 5.2: should we wait or should we go?

Questions to those who had been brave enough to upgrade their units to FortiOS v5.2.0: How did it handle complex configurations in the course of upgrade (I mean " in-place upgrade" )? Are there any pitfalls to watch for? Does v5.2 work stable? Is there anything to loose in the jump to v5.2? Are you still there on v5.2 or had to go back to v5.0 for one reason or another? What are your overall experiences so far? We have a pure FortiOS v5.0.7 in our environment. It generally works fine but our main headache is new FortiAPs supporting 802.11ac - they are practically unusable on v5.0.7 (we do not want to go with " interim" FortiOS build as it raises a whole bunch of other questions). Thank you all for any feedback, VA
1 Solution
ejhardin
Contributor

By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake. Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ? I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.

View solution in original post

52 REPLIES 52
VicAndr
New Contributor III

in 5.2 when you edit existing a security policy or create a new one SSL inspection will be enabled and you can' t disable it
Ghorchem is right. You can specify all sorts of exceptions and exemptions but you cannot completely disable SSL inspection. If a security profile is enabled in a firewall policy - SSL inspection is ON and greyed out - you cannot change its status to OFF.
emnoc
Esteemed Contributor III

The same here, not a problem with editing an existing policy.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ghorchem
New Contributor III

I upgraded from V5.0 build 4459 on a 60D I found this in the What' s New for FortiOS 5.2.0 guide. SSL Inspection There have been several changes to how SSL Inspection is handled on a FortiGate unit. Automatic Inspection When Security Profiles are Used If any security profile is used in a security policy, SSL inspection will automatically be enabled, at which point an SSL mode must be selected (see below for more details). HTTPS Scanning Without Deep Inspection The following changes have been made in order to allow HTTPS traffic to be scanned without enabling deep inspection: • There are now two modes for SSL inspection: certificate inspection (certificate-inspection in the CLI), which only inspects the SSL handshake, and deep inspection (deep-inspection in the CLI), which enables full deep inspection of SSL traffic (this was previously the default mode for SSL inspection). • The CLI command https-url-scan has been removed. • deep-inspection-options has been renamed ssl-ssh-profile. • The SSL inspect-all option and the https status option now have three states: disable, certificate-inspection, and deep-inspection. The status option for the other protocols now use deep-inspection instead of enabled. When a new policy or profile group is created, the SSL inspection profile certificate-inspection is automatically added. SSL/Deep Inspection Exemptions The options for configuring exemptions to SSL/Deep Inspection is now configured as part of the deep inspection options, rather than FortiGuard web filtering. Exemptions can be added to SSL inspection by going to Policy & Objects > Policy > SSL Inspection or through the CLI. Certain applications, such as iTunes and Dropbox, require a specific certificate to be used, rather than using the use the system' s certifciate store. Because of this, the default deep inspection profile, deep-inspection, has exemptions configured for these applications by default in FortiOS 5.2. Syntax config firewall ssl-ssh-profile edit <name> config ssl-exempt edit <id> set type {fortiguard-category | address | address6} set category <id> set address <string> end end end end
emnoc
Esteemed Contributor III

No he' s not 100% correct & he wasn' t 100% clear fwiw:Here' s a TIP if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabled Also take a look at profile-protocol-options also edit " noinspection1" config https set ports 443 set status disable end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end next end and you can re-edit the fwpolicy via the gui or cli and change the policy to one of the other inspection as required of a later date if you need inspection TESTFW01 (10) # show config firewall policy edit 1089 set uuid 7603f088-fce9-51e3-167d-df80cb5c7757 set srcintf " wifi" set dstintf " virtual-wan-link" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " skype_ports" set utm-status enable set logtraffic disable set profile-protocol-options " default" set ssl-ssh-profile " certificate-inspection" set traffic-shaper " guarantee-100kbps" set nat enable next end TESTFW01 (10) # set ssl-ssh-profile <string> please input string value certificate-inspection ssl-ssh-profile deep-inspection ssl-ssh-profile default ssl-ssh-profile noinspection ssl-ssh-profile noinspection1 ssl-ssh-profile TESTFW01 (10) # set ssl-ssh-profile noinspection1 TESTFW01 (10) # end and we can change the profile-prot-opts config firewall profile-protocol-options edit " nosinpection" config http set ports 80 set status disable set options no-content-summary unset post-lang end config ftp set ports 21 set status disable set options no-content-summary splice end config imap set ports 143 set status disable set options fragmail no-content-summary end config mapi set ports 135 set status disable set options fragmail no-content-summary end config pop3 set ports 110 set status disable set options fragmail no-content-summary end config smtp set ports 25 set status disable set options fragmail no-content-summary splice end config nntp set ports 119 set status disable set options no-content-summary splice end config dns set ports 53 set status disable end next end and then you apply this to the firewall policies(s) config firewall policy edit 1089 set profile-protocol-options " noinspection" end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VicAndr
New Contributor III

if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabled
That' s the whole point! You can' t " click a button" to turn SSL inspection OFF like you do with other UTM features. But you may create a custom SSL profile with everything disabled which effectively turns SSL inspection off. So you both (emnoc and gnorchem) are right. Although you do not need to wait for this single " SSL ON/OFF button" to make Novell Groupwise work on 5.2.
emnoc
Esteemed Contributor III

Man you are really making this more harder than what it is. Just click the button in the oval screensshot , edit the profile and then disable ssl inspection if not required. If you enable application control, than the SSL inspection tab is greyed out. Not very hard or too much extra work or difficult or at least I don' t think so. If you don' t want SSL inspection messing anything up. Define the default with all items disable or create a noispection profile ( like mention above ) and apply the same logic. Once again a minor convenience, but really to much difficult or impacting. remember you need application controls enable for fortiview to identify Applications

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rwdorman
New Contributor III

I did the upgrade on bother of my production clusters (200D' s) in both sites. Crazy you say? Perhaps. I was in the " pick a bug" category of deciding what was most important. The devices have been essentially stable since the upgrade. The notes above on SSL inspection are important and that did bite me early on. One thing that is completely broken is generic IPsec connections from client devices (old Cisco clients, iOS devices). I had a tunnel config for that in place from pre-upgrade and it failed to work, i tried the wizard and that blew up the entire cluster. I tried to create it manually and things still wouldn' t connect. Wireless (i' m using 221Cs) is significantly more stable than it was under the " feature release" for 5.0.7 so that is good. It has not, however, fixed my main bug with IPSec tunnel performance (i' ll put that in a different thread). Memory usage is riding right at 80%, I expect that to improve a bit with 5.2.x. So... is it safe? Yes, is it perfect? Nope, same bag of tricks as previous releases.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
ejhardin
Contributor

By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake. Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ? I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.
srappaport
New Contributor

I was disappointed to see that the ability to make DHCP reservations was removed from the WebUI in 5.2.0. In 5.0.x, it was simple to turn a bunch of leases into reservations, but I just had to do this all through CLI, where it is much easier to make a typo on a MAC address.
gatorHeel

You can always print the lease list and copy/paste: exec dhcp lease-list
Labels
Top Kudoed Authors