Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

SSL DPI analysis before implementing

When migrating from a non-DPI environment to DPI, what is some of the considerations that need to be addressed prior to cutover? I understand that there will always be one-off gotchas that will need to be fixed on the fly.

Here are a few things that I thought of....Any other ideas ?


Having proper network segmentation for IOT, phones, guest users, etc.
Use a small sample of test users before full production cutover
Research the effect of DPI on  cloud apps that have potential DPI issues - anyone know of a good source for this ?


Thanks, Don


@doncacciatoconsuting ,


As you rightly mentioned, it is always better to have proper segmentation of the network and have few test users from each of these networks for testing the DPI. Have all the possible test cases 

(URL's/Services to be accessed and bypassed) ready for testing. Make sure you install the Fortigate CA on all your Client machines so that you don't receive certificate warning while accessing services after enabling DPI. Have them tested against each of the Secuirty Profiles one by one instead of applying them all at one go. This way you build your test policy which can later moved to production by adding remaining users subnet by subnet.


Certain cloud applications ( ex: o365) and patch update URL's should be bypassed from SSL interception as some of the features maynot work as expected. 




In no particular order:

  • Destination exceptions (some apps/services are hardened and will refuse to communicate through MITM'd TLS channels)
  • Source exceptions (guest networks are typically unmanageable and thus you can't block without certificate warnings, IoT also tends to be hard to "onboard" to DPI, etc.)
  • Legal exceptions (some comms you just aren't allowed to eavesdrop on in some jurisdictions)
  • Endpoint management (how will you distribute your CA to clients?)
  • Performance impact (basic non-DPI flow-inspection can and will offload quickly, but once you start doing DPI everything has to touch the CPU and you will lose some of the benefits of NP offloading)

As far as the app exceptions go, the default "deep inspection" profile already comes with a nice list of exempted destinations, you can start with that.

[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors