Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate Contetn Filtering - SSL Inspection

Hi All, we're rolling out fortigate's at my work and we're at the pointy end of the configuration.

We have about 9 sites that will be setup with mostly HA setup's with some running single devices.

Our enviroment has been setup with SSL/SSH inspection but I'm seeing some issues around this with the certificates/CA. So questions are:

Should we be suing SSL/SSH inspection and in which mode is reccomended (Certificate or full inspection) or amd I on the wrong path with what SSL inspection is doing

If we are to use this, how best do we deploy the correct certificates to our endpoints to prevent the warnings in their browsers? Is it possible to get a cert that we load on each FGT and then deploy via our CA?

SSL Deep Inspection is certainly pointy. It can cause a lot of issues so be careful and understand exactly what your requirements are and understand the legal aspects if you are using it on general web browsing including banking and other sites.


Best practice would be to only inspect traffic to untrusted/unknown sites.


And as you've already noted you have to solve for the trusted certificate issue. Best way to do this is use your internal PKI (endpoints will trust your root already) and create an intermediate signing CA certificate that gets imported into the FortiGate.


Or, it could be that you realize you don't actually need deep inspection and certificate inspection will work well enough for you.


Cert inspection will just look at the domain name of the destination site. It cannot see the URL or any data that is passed. Most of the time this is good enough for web filtering (but not URL filtering) and app control (but not all app control signatures). It's also good enough for IPS but again won't catch all IPS.


I think you should take a step back, really understand what it is you're trying to accomplish, and then deploy what you need.


Also deep inspection is only going to work for your corporate-managed endpoints. Anything else will always get a certificate error.


Top Kudoed Authors