Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Testing SSL Deep Inspection

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.

I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.


I've created an IPV4 policy under "data (internal1) -> SD-WAN":

  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection[/ul]

    But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.

    Is there something wrong with my policy that's causing it to not produce errors on this workstation?


    When I look at traffic logs, I can see that my policy, #24, is applying.

  • 5 REPLIES 5
    Esteemed Contributor III

    I  wrote this up as a sure 100%  way to  know SSL inspection


    But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow


    Ken Felix




    PCNSE NSE StrongSwan
    Esteemed Contributor III

    Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?


    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    New Contributor

    Enable SSL Inspection of: Multiple clients connecting to multiple servers


    Inspection method: Full


    CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)


    Untrusted SSL Certificates: Allow


    RPC over HTTPS: Disabled




    Exempt from SSL Inspection: reputable websites disabled.


    Allow invalid ssl certificates: disabled


    Log SSL anomalies: enabled

    New Contributor

    If I am not mistaken - applying SSH profile won't do anything on its own  - it only comes into play when another policy like Anti-virus or Web filter is also being looked at.  So you would also need your web filter policy applied to that rule for the SSH Inspection to occur when browsing to an Https site

    New Contributor

    I am experiencing the same thing with my Fortigate 1200D.  Google has knowledge base article:  

    where inside are useful tests for chromebooks and a note on how the chromebooks require a PEM based certificate.

    I opened a ticket with Fortinet support.

    Top Kudoed Authors