Hi,
I am new to Fortigate. I have a 30E that I have been working on. I upgraded it to the latest 6.0.3 Firmware level.
I am trying to ascertain if using SSL Deep Inspection is a better option than the default without putting too high of a strain on the unit. It might be better for Anti-Spam as I have an internal e-mail server. I am not sure how good the Anti-spam is working yet as I am using the default SSL Inspection and did tie it to my firewall policies.
For the Certificate I am just using the internally self-signed certificate and don't plan on getting one from a public CA and paying for it. I can use Group Policy to distribute it to my machines. I do have an internal CA. I did do this when I was a Sophos house. Thanks in advance for any assistance you can grant me.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I'd always go for deep inspection over certificate inspection where possible, better protection from encrypted traffic.
What resource usage do you have on your device at the moment? Conserve mode activates at 88% memory usage so bear that in mind when you enable it. Enabling deep inspection will increase resource usage.
Hi,
I'd always go for deep inspection over certificate inspection where possible, better protection from encrypted traffic.
What resource usage do you have on your device at the moment? Conserve mode activates at 88% memory usage so bear that in mind when you enable it. Enabling deep inspection will increase resource usage.
I have implemented the SSL Deep Scan and am glad I did. The unit is hovering around 70-72% RAM utilization so it hasn't been a big impact. It's about what it was before. CPU is very low and running fine.
I also have SSL Deep Scan on some of my incoming policies as I have an on-premise e-mail server.
What I have to figure out is that the certificate on the Fortigate has been deployed via Group Policy and I can see it but most browsers have issues with SSL-based traffic. Firefox requires its own installation of the certificate so it is the only browser truly working. I have a FSO/SSO connection to my AD Server on the Fortigate and I have created some groups with the AD Users but I don't think the Fortigate can sense who is logged into a system. My Firewall policies just have "All" and I don't think I have true user based web filtering working yet. Still though other browsers shouldn't have this many issues. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1099 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.