Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nemat
New Contributor II

Fortiweb deep inspection

Dears,

 

I have question about deep inspection feature in fortiweb, I'm not sure if it's the right term in fortiweb but I mean decrypt incoming secure traffic, inspect it and encrypt again to send it for mail server as our case.

 

my question is:

Is the deep inspection is the default behavior in Fortiweb when we are using HTTPS protocol? I mean just uploading the server certificate and applying it in server policy with using web protection profile is enough? or there is additional setup?

 

-We need fortiweb to inspect scure OWA traffic before [HTTPS traffic].

1 Solution
abelio
Valued Contributor

Hello Nemat

Speaking in Fortiweb words, there're two approaches to this: ssl offloading and ssl inspection.
Both enable the waf to inspect HTTPs traffic for viruses, etc.
Main difference is the place where you ends the ssl tunnel.
In ssl offloading, webserver certificate and key you must upload to fortiweb enable the traffic decryption and further analysis. The usual config is terminate SSL session in the Fortiweb and forward plain HTTP to protected backend webservers (reducing processing load in webs servers)

In SSL inspection, fortiweb it's not the ssl tunnel terminator, certificate and keys are both in the web servers and fortiweb,; traffic flows continuosly from client to servers, if this is not an attack, fortiweb allows it. However, Fortiweb decrypts a copy of the traffic in order to scan for viruses, malware or threats; it forwards the original, encrypted packets to webserver.

If you already configured your Server Policy, enabled HTTPS service, uploaded certificates, you have ssl offloading working; clicking in advanced ssl settings, you also could fine tune SSL aspects.

If you want configure ssl inspection in fortiweb terms, go to your defined server pools, and enable SSL to trigger inspection.


More and (better explained I guess) in:

https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/341240/offloading-vs-inspecti...

 

 

 

 

regards




/ Abel

View solution in original post

regards / Abel
2 REPLIES 2
abelio
Valued Contributor

Hello Nemat

Speaking in Fortiweb words, there're two approaches to this: ssl offloading and ssl inspection.
Both enable the waf to inspect HTTPs traffic for viruses, etc.
Main difference is the place where you ends the ssl tunnel.
In ssl offloading, webserver certificate and key you must upload to fortiweb enable the traffic decryption and further analysis. The usual config is terminate SSL session in the Fortiweb and forward plain HTTP to protected backend webservers (reducing processing load in webs servers)

In SSL inspection, fortiweb it's not the ssl tunnel terminator, certificate and keys are both in the web servers and fortiweb,; traffic flows continuosly from client to servers, if this is not an attack, fortiweb allows it. However, Fortiweb decrypts a copy of the traffic in order to scan for viruses, malware or threats; it forwards the original, encrypted packets to webserver.

If you already configured your Server Policy, enabled HTTPS service, uploaded certificates, you have ssl offloading working; clicking in advanced ssl settings, you also could fine tune SSL aspects.

If you want configure ssl inspection in fortiweb terms, go to your defined server pools, and enable SSL to trigger inspection.


More and (better explained I guess) in:

https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/341240/offloading-vs-inspecti...

 

 

 

 

regards




/ Abel

regards / Abel
kasisbook
New Contributor

Greetings,

We are on v7.2.4 but the following issue is since 6.4.X

We need to use some signatures in our application control security profiles. Those signatures will not be available unless you have deep packet inspection enabled on this firewall policy (Example: OneDrive_File.Upload, YouTube_HD.Streaming, YouTube.Downloader.YTD ... etc.)

When we enable deep packet inspection, OneDrive as an example with Office365 wouldn't work because you are replacing the certificate with Forti's for the deep packet inspection to work. At the end, you will have to exempt Office365 destinations from the deep packet inspection which will lead to you are not able to use those signatures that require Deep packet inspection!

Has anyone come across this issue before? and how did you resolve it?

10.0.0.0.1 192.168.1.254
Labels
Top Kudoed Authors