Hi Everyone,
I was wondering if anyone could explain the pros and cons of the two methods of SSl inspection
Certificate Inspection and Full deep Inspection.
I read the technical comment how
certificate-inspection which only inspects the SSL handshake,
and
deep inspection enables full deep inspection.
What I would like to know is if I implement one solution does it have limitations , i.e blocking or something similar
Why have two methods ?
Many Thanks in advance
Paul
Solved! Go to Solution.
One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection. This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.
One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites, such as Youtube (which uses *.google.com certificate).
Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings. You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.
Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.
IMHO.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection. This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.
One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites, such as Youtube (which uses *.google.com certificate).
Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings. You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.
Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.
IMHO.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
A Huge Thankyou to Dave for taking the time to fully explain
Regards
Paul
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.