Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

SSL Rollout for DPI in Educational Campus

Hi All, 

I'm testing to deploy DPI in our Firewall to extend our security level between our students/staff and guests. I know, I can deploy the Cert manually / using GPO or using JamF Pro for macBook Devices. 


However, a scenario will come where certain users are not getting the certificate in order to be downloaded and installed in their devices. Therefor, any internet connection won't work. 


I'm just thinking load in here to have a redirection / a landing page which hosts the certificate with few instruction to guide the users on how to obtain the cert and download it on their devices. 


Appreciate your idea / thoughts about how this can be implemented / already achieved. 





You can use an external web page using http only, the page will not be blocked by DPI.

I don't know if there is a way to use a portal or redirect the users automatically, most probably you have to instruct the end user to manually open that site. If you are using Captive portal you can configure that URL to redirect the user after login.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
New Contributor II


Thanks for your email. I have managed to deploy the solution with a minimal user interference and that was my intention. 


I have made a redirection page which contains all the download URLs, including the instruction for each platform. When users connected, will be redirected to a landing page.


The only challenge I have faced is Apple/iOS/iPAD devices. However, luckily we have a JAMF solution which manages our Apple devices. Using the Enrolment procedure to push a package that includes the CA certificate, is able to get the certificate profile installed, then Enable the certificate in the Apps/VPN section. 


The security measures in place of using DPI, but off-course you have to keep in mind the devices which need to be 


connected without inspections, APs, Phones, SBCs, etc etc... 


An access policy is in place for those devices and a restricted policy with DPI below as last policy for all http/https. 


FW Policy.JPG


Is there anything that I need to include / a recommendation of achieving this task in a better way?







Yes, that's exactly What I have done as a landing page and instructions on how to download and install the cert based on the devices categories.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors