Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JimBo
New Contributor II

Created on ‎06-22-2023 12:37 PM Edited on ‎06-22-2023 12:40 PM

Is this rule providing ANY value - SSL Inspection & Authentication rule

Hi guys, 

As you can probably tell, I'm new here :)

 

We are running Fortigate firewall OS 6.4.10 - all is good!

Trying to get a handle on what this SSL policy rule is doing .... if anything at all, some basic understanding would be greatly appreciated.

Thank you

 

From the GUI under,

Policy & Objects,

SSL Inspection & Authentication

 

   Edit Policy

Incoming Interface: LAN users

Outgoing Interface: WAN

Source: LAN users

Destination: All

 

Security Profile:

SSL Inspection: no-inspection

Policy enabled

 

From the GUI under:

Security Profiles

SSL/SSH Inspection

    Edit SSL/SSH Inspection Profile

Name: no-inspection

SSL Inspection Options:

Enable SSL inspection of: Multiple Clients Connecting to Multiple Servers Protecting SSL Server

Inspection method: Full SSL Inspection

CA Certificate: Fortinet_CA_SSL

Blocked certificates: Block

Untrusted SSL certificates: Allow

Server certificate SNI check: Enable

 

Common Options

Invalid SSL certificates: Custom

Expired certificates: Block

Revoked certificates: Block

Validation timed-out certificates: Keep Untrusted & Allow

Validation failed certificates: Block

Log SSL anomalies: Enabled

 

Thank you and it there is additional details needed PLEASE ask.

Thank You JimBo
Thank You JimBo
Labels:
930
0 Kudos
1 Solution
pavankr5
Staff
Staff

Created on ‎06-23-2023 03:20 AM

The SSL policy rule you described is not providing any value for SSL inspection because the "SSL Inspection" option is set to "no-inspection" in the associated security profile. This means that SSL traffic matching this rule will not undergo SSL inspection.
Please check this article on why you should use SSL inspection
 https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/605938/why-you-should-use-ssl-inspection

Thanks,

Pavan

View solution in original post

900
3 REPLIES 3
pavankr5
Staff
Staff

Created on ‎06-23-2023 03:20 AM

The SSL policy rule you described is not providing any value for SSL inspection because the "SSL Inspection" option is set to "no-inspection" in the associated security profile. This means that SSL traffic matching this rule will not undergo SSL inspection.
Please check this article on why you should use SSL inspection
 https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/605938/why-you-should-use-ssl-inspection

Thanks,

Pavan

901
JimBo
New Contributor II
In response to pavankr5

Created on ‎06-24-2023 02:14 PM Edited on ‎06-24-2023 02:18 PM

Hi Pavan,

Thank you for your assistance here, much appreciated. I setup a test-lab Fortigate 40F to replicate our prod environment and experiment with changes based on the URL you provided. In the initial run with deep inspection, Chrome and Bing both block this site (..... and others) as we are missing the Fortigate root certificate. You got me pointed in the right direction!! Thank you.

Thank You JimBo
Thank You JimBo
874
0 Kudos
JimBo
New Contributor II
In response to pavankr5

Created on ‎06-25-2023 01:39 PM

Adding FortiGate 40F GUI screen shot to show the details.

We started with SSL no-inspection but now have switched to SSL certificate-inspection which appears to be a bit better than no-inspection.

When we tried to use the SSL deep-inspection but most web pages were blocked by Chrome and Bing due to Fortigate 'root' cert not installed in our Browers yet. 

 

Thanks again for your assistance!

 

Fortigate SSL Inspection and Authentication with Cert Inspection.png

Thank You JimBo
Thank You JimBo
855
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.