Fortinet Community

Nemat · ‎09-24-2022

Dears,

I have question about deep inspection feature in fortiweb, I'm not sure if it's the right term in fortiweb but I mean decrypt incoming secure traffic, inspect it and encrypt again to send it for mail server as our case.

my question is:

Is the deep inspection is the default behavior in Fortiweb when we are using HTTPS protocol? I mean just uploading the server certificate and applying it in server policy with using web protection profile is enough? or there is additional setup?

-We need fortiweb to inspect scure OWA traffic before [HTTPS traffic].

abelio · ‎09-25-2022

Hello Nemat

Speaking in Fortiweb words, there're two approaches to this: ssl offloading and ssl inspection.
Both enable the waf to inspect HTTPs traffic for viruses, etc.
Main difference is the place where you ends the ssl tunnel.
In ssl offloading, webserver certificate and key you must upload to fortiweb enable the traffic decryption and further analysis. The usual config is terminate SSL session in the Fortiweb and forward plain HTTP to protected backend webservers (reducing processing load in webs servers)

In SSL inspection, fortiweb it's not the ssl tunnel terminator, certificate and keys are both in the web servers and fortiweb,; traffic flows continuosly from client to servers, if this is not an attack, fortiweb allows it. However, Fortiweb decrypts a copy of the traffic in order to scan for viruses, malware or threats; it forwards the original, encrypted packets to webserver.

If you already configured your Server Policy, enabled HTTPS service, uploaded certificates, you have ssl offloading working; clicking in advanced ssl settings, you also could fine tune SSL aspects.

If you want configure ssl inspection in fortiweb terms, go to your defined server pools, and enable SSL to trigger inspection.

More and (better explained I guess) in:

https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/341240/offloading-vs-inspecti...

regards

__ Abel

View solution in original post

abelio · ‎09-25-2022

Hello Nemat

Speaking in Fortiweb words, there're two approaches to this: ssl offloading and ssl inspection.
Both enable the waf to inspect HTTPs traffic for viruses, etc.
Main difference is the place where you ends the ssl tunnel.
In ssl offloading, webserver certificate and key you must upload to fortiweb enable the traffic decryption and further analysis. The usual config is terminate SSL session in the Fortiweb and forward plain HTTP to protected backend webservers (reducing processing load in webs servers)

In SSL inspection, fortiweb it's not the ssl tunnel terminator, certificate and keys are both in the web servers and fortiweb,; traffic flows continuosly from client to servers, if this is not an attack, fortiweb allows it. However, Fortiweb decrypts a copy of the traffic in order to scan for viruses, malware or threats; it forwards the original, encrypted packets to webserver.

If you already configured your Server Policy, enabled HTTPS service, uploaded certificates, you have ssl offloading working; clicking in advanced ssl settings, you also could fine tune SSL aspects.

If you want configure ssl inspection in fortiweb terms, go to your defined server pools, and enable SSL to trigger inspection.

More and (better explained I guess) in:

https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/341240/offloading-vs-inspecti...

regards

__ Abel

Fortinet Community

Fortiweb deep inspection