Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ItsGeisterWolf
New Contributor

SSL inspection required for IPS Signature to analyze unencrypted traffic?

Im trying to configure an IPS Profile to block a Signatunre on whicht we can see under Protocols just unencrypted Protocols such as ftp, http, stmp, etc. 

Since those arent encrypted im assuming that we do not need ssl inspection at all.

Is this correct or did i miss something here?

Thanks in advanced. 

 

 

1 Solution
fricci_FTNT
Staff
Staff

Hi @ItsGeisterWolf ,

 

Unencrypted/clear traffic like HTTP/SMTP/FTP does not use any certificate, so it does not require SSL certificate-Inspection (or Deep-inspection). In our-days more than 85% of traffic on the Internet is encrypted so IPS would miss to inspect quite a lot of content.

You may find the following links useful:
https://community.fortinet.com/t5/Support-Forum/Is-SSL-inspection-required-for-Intrusion-Prevention-...
https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...
https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/583477/configuring-an-ips-se...


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

4 REPLIES 4
baghe61
New Contributor

Probably based on IP origin and certificate info as that is presented in the clear with TLS 1.2. Once TLS 1.3 is required, certficate will be encrypted so URL and other info will no longer be available. Only the IP origin/destination will be available.

https://19216801.onl/ https://routerlogin.uno/
fricci_FTNT
Staff
Staff

Hi @ItsGeisterWolf ,

 

Unencrypted/clear traffic like HTTP/SMTP/FTP does not use any certificate, so it does not require SSL certificate-Inspection (or Deep-inspection). In our-days more than 85% of traffic on the Internet is encrypted so IPS would miss to inspect quite a lot of content.

You may find the following links useful:
https://community.fortinet.com/t5/Support-Forum/Is-SSL-inspection-required-for-Intrusion-Prevention-...
https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...
https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/583477/configuring-an-ips-se...


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
ItsGeisterWolf

Hi @fricci_FTNT , 
Thanks for your information and provided Links for proper documentation. 

Most of them i've already seen.
I guess the best would be to activate the ips sensor together with a SSL Inpection profile, just in case.
Best regards, 

 

fricci_FTNT
Staff
Staff

Hi @ItsGeisterWolf ,

 

You are more than welcome and thanks for accepting my answer as solution.
It would be better to activate the IPS sensor with a SSL inspection profile, indeed. Please bear in mind that to inspect encrypted payload traffic you would need Deep-Inspection. With certificate inspection FortiGate would be unable to decrypt and then analyse the payload content.
My further advice would be implementing the IPS sensors initially in monitoring mode and check the behaviour, just to see if you have any false positive. Then please also be wise in adding/using IPS signatures to save CPU/memory resources, i.e. if you are protecting a Linux server, you would not need to implement Windows server related IPS signatures, or if you are protecting clients related traffic, you would not need server related IPS signatures in that specific profile.
Please find some best practices at the link below:
https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/871604

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Top Kudoed Authors