Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amatteo78
New Contributor

Created on ‎12-08-2014 11:41 AM

disabled SSL inspection

Hello,

 

I don't understand how I can disabled SSL when Web Filter is enable. I can't swich off. I can only switch off if I disabled web filter. Have you some idea ? I have Fortigate v. 5.2.1build618 (virtual appliance).

Thanks

 

M.

37332
0 Kudos
10 REPLIES 10
techevo
New Contributor

Created on ‎12-08-2014 12:54 PM

Hi,

   

   In your policy under ssl/ssh inspection, select profile certificate inspection it will disable the "man in the middle" ssl inspection and only inspect the certificate and it will stop your ssl error in the web browser.  SSL inspection is a good thing so you should be looking at deploying a certificate on the workstation in order to effectivelly use the full sll inspection.

 

If for some reason the "certificate inspection" profile was deleted you can create one under

 

   Under Policy & objects - Policy - SSL/SSH Inspection

 

 

14500
0 Kudos
amatteo78
New Contributor
In response to techevo

Created on ‎12-08-2014 01:02 PM

techevo wrote:

Hi,

   

   In your policy under ssl/ssh inspection, select profile certificate inspection it will disable the "man in the middle" ssl inspection and only inspect the certificate and it will stop your ssl error in the web browser.  SSL inspection is a good thing so you should be looking at deploying a certificate on the workstation in order to effectivelly use the full sll inspection.

 

If for some reason the "certificate inspection" profile was deleted you can create one under

 

   Under Policy & objects - Policy - SSL/SSH Inspection

 

 

Hello,

I set "certificate-inspection" but I have problem when I try see web as Facebook... I explain, if I accept Facebook, no problem, If I block it, I receive error and not Fortinet block page, normally I see it when I try surf on block website.

Any idea ??

 

Thanks

 

M.

14500
0 Kudos
Bromont_FTNT
Staff
Staff
In response to amatteo78

Created on ‎12-08-2014 01:06 PM

 

Even when you use certificate inspection when the Fortigate displays the blocked page message, that page must be HTTPS, there is no way around this as the browser is expecting HTTPS, the Fortigate uses it's certificate for the blocked page.

14500
0 Kudos
amatteo78
New Contributor
In response to amatteo78

Created on ‎12-08-2014 01:09 PM

Can I disable from the Policy IPv4 the SSL Inspection ? in this moment it's enable auto when I enable web filter, and I can't disable.

 

M.

14500
0 Kudos
vmartin_FTNT
Staff
Staff

Created on ‎01-06-2015 11:17 AM

The ability to disable SSL/SSH inspection when using a security profile was added in 5.2.1, as noted on page 16 of the What's New guide (http://docs.fortinet.com/uploaded/files/1912/PDF.pdf).  You can disable inspection in the CLI, not the web-based manager.

 

config firewall policy   edit <id>     unset ssl-ssh-profile   end end   I just tested this and it does work; however, I noticed that when you view the policy in the web-based manager, it will show SSL inspection as enabled. However, using the show command in the CLI confirmed that it was disabled.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

14499
0 Kudos
Fr34k11
New Contributor

Created on ‎01-14-2015 02:21 AM

Hi,

You can disable the SSH inspection in the GUI. If you are on the page where you view all your policies (section view or global view) if you right click on the SSH profile you will get a menu and you can select remove profile there.

 

 

 

But here is another problem and I do hope they sort this one out because it's annoying. When you go into the rule itself and you change something like source address or the service or anything that has nothing to with UTM, in fact now that i think about it you don't even have to change anything, as soon as you click the OK button the SSL Inspection profile is back. Even if you turn it off in the CLI.

If you open the rule in the GUI and click OK, SSL is back.

 

Anyway hope the tip helps to clean out those pesky ssl profiles :)

 

 

- FortiFr34k11

- FortiFr34k11
Preview file
62 KB
14500
0 Kudos
vmartin_FTNT
Staff
Staff

Created on ‎01-14-2015 07:15 AM

A bug has been made about the issue and is being worked on for future FortiOS releases.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

14500
0 Kudos
is-office
New Contributor
In response to vmartin_FTNT

Created on ‎06-02-2022 09:52 AM

I am facing a similar issue on v6.0.2. On our enterprise portal instead of displaying the ssl CA which we bought, all browsers are pointing to the firewall s/n there by making the connection unsecured. Please how can this be resolved?

10607
0 Kudos
Alex-Farias
New Contributor
In response to is-office

Created on ‎02-27-2023 05:23 AM

Same problem here...did you manage to workaround this problem?

8069
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.