Found a massive limitation in 5.6 NGFW mode: You can only configure SSL Interception profile globally in Settings.
If you got (closed) devices that doesn't allow to add trusted root certificate you can't force them to use a different (SSL Cert Inspection only) profile.
In policy mode: From: Closed device, To: Any, Serv: HTTPS, Allow, SSL: Cert-Inspection.
Enhancement request: Add a "From" exception in the SSL/SSH Profile? (As this would probably be the easiest place to implement).
But I think in policy it's not the best way to do that because you can have multiple policy from the same source to the same destination, but with a different application control associated.
IMHO the best way is in central nat policy. These policy are not associated to a application/web category, so you are sure you can't have multple match.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.