Hi Everyone,
I was wondering if anyone could explain the pros and cons of the two methods of SSl inspection
Certificate Inspection and Full deep Inspection.
I read the technical comment how
certificate-inspection which only inspects the SSL handshake,
and
deep inspection enables full deep inspection.
What I would like to know is if I implement one solution does it have limitations , i.e blocking or something similar
Why have two methods ?
Many Thanks in advance
Paul
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection. This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.
One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites, such as Youtube (which uses *.google.com certificate).
Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings. You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.
Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.
IMHO.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection. This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.
One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites, such as Youtube (which uses *.google.com certificate).
Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings. You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.
Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.
IMHO.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
A Huge Thankyou to Dave for taking the time to fully explain
Regards
Paul
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.