Hello,
I have FortiOS 5.0.11 but it is not still clear how it works. It has been enabled HTTPS inspection with CA sertificate (Fortinet_CA_SSL_Proxy) but on web filter profile scan encrypted connections is not configured. I can't understand why actually scan encrypted connections is disabled. Maybe a lot of traffic can't be scanned because of this ? Maybe also application control could benefit from enabling scan encrypted connections ? Another question is about the way Fortigate use it's own certificate for ssl inspection.
Can Fortigate work as man in the middle to deep scan HTTPS traffic ?
Regards
Solved! Go to Solution.
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
Hi
based on 5.0.x following:
You have two possibilities to work with HTTPS and Webfiltering:
1. Solution "URL SCAN Only"
This solution works with a ssh/ssl inspection profile which means within this profile "only" https 443 is enabled and added to the corresponding Firewall Policy Rule which allows https only meaning internal to wan https allow. Within this policy you add a WebFilter profile which DOES NOT USE the position "scan encrypted connections". Addtional on CLI for this WebFilter profile you have to change following:
# config webfilter profile
[LEFT]# edit [Name of the WebFilter profile][/LEFT]# set options https-url-scan
# end
# end
If you add now both the WebFitler and the ssh/ssl inspection profile to the internal to wan https allow following happens:
If a user is accessing over https facebook.com the FGT is examing the CN of the Certificat and uses this CN (Common Name of the Cert) to be checked agains your WebFilter categorisation and allows or blocks the access. This means this check is NOT A DEEP Inspection only a check agains CN of Certificate used agains categorisation of WebFiler. At least it has to be stated "it can work but must not" this means: If a Cert example facebook.com is using a Wildcard Cert *.facebook.com you can not differ between app.facebook.com and www.facebook.com. You can only check agains *.facebook.com. This possibility is usable for small envs. because it DOES NOT NEED a Cert on the Client which plays "man of the middle".
2. Solution "Full Deep Inspection".
For this solution you have to configure follwoing:
- ssl/ssh inspection profile and activate whatever port you need example https
- WebFilter with activated position "scan encrypted connections"
- Certificate on the client from FGT SSL-Proxy Cert
In this way if you use both WebFilter and ssl/ssh insepction on a rule internal to wan https allow the FGT plays "man in the middle" and does full inspection as long as you have the SSL-Proxy Cert from FGT on the client. Of course in this constellation you can do for whatever protocoll meaning https etc. full deep inspection including Antivirus, DLP, Application Control etc. Keep in mind that this work is for the FGT a huge impact on performance and I would NOT recommend it for smaller device as 100D. It works for smaller devices but performance decreasement is not this what I would like to have :) Keep also in mind that on FGT based on 5.0.x the default Cert is worldwide the same. This was changed in FGT 5.2.x.
Hope this helps to show you the two possibilites on doing deep inspection or/and url scan only. Keep in mind that for 5.2.x the system changed this means for URL scan only you have for 5.2.x configure following:
- ssl/ssh inspection profile set as Multiple clients to multiple server and Certificate Inspection activated (https 443 will be greyed out to indicate Certificate Inspection)
- WebFilter profile nothing special because the "scan encrypted connections" are gone (use normal WebFilter nothing special).
thats it......hope this helps.
have fun
Andrea
Thanks that is really useful to better understand. However even though I presume my configuration falls into your first example but actually I have ssl inspection enabled even though scan encrypted connections option is not enabled.
I have a webfilter policy named web-policy,
edit "web-policy" set comment '' set replacemsg-group '' set inspection-mode proxy set options https-url-scan set https-replacemsg enable set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override set post-action normal
I have deep inspection option profile named ssl-inspection where only https is enabled,
edit "ssl-inspection" set comment '' config ssl set inspect-all disable set allow-invalid-server-cert disable set ssl-ca-list disable end config https set ports 443 set status enable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ssh set ports 22 set status disable set inspect-all disable unset block unset log end set caname "Fortinet_CA_SSLProxy" set certname "Fortinet_SSLProxy" set extended-utm-log disable
Then I have a firewall identity based policy with antivirus, application control, intrusion protection and .. mostly important deep inspection / webfilter policy enabled,
..
set av-profile "default" set webfilter-profile "web-policy" set spamfilter-profile '' set dlp-sensor '' set ips-sensor "intrusion-protection" set application-list "application-policy" set voip-profile '' set icap-profile '' set profile-protocol-options "default" set deep-inspection-options "ssl-inspection" ..
Hi
your fault is that you mix up deep inspection and/or url scan only which means you can not use in ONE rule deep inspection and/or url scan only. Remove https from this policy and put it with you ssl inspection profile to a seperate rule which means one rule with https is doing with your ssl inspection profile AND webfilter profile certification inspection based on https. The other rule -as long as the clients have the SSL Proxy Cert installed- is doing deep inspection for UTM like Antivirus etc.
At least I have to say this what you are doing makes for me no sense which means:
- Do URL Scan only with Certification Inspection for HTTPS WebFilter only and the other stuff is not inspected by deep inspection
- Do Full Deep Inspection for whatever but keep in mind to install the SSL Proxy Cert on the Client
Do not mix up for one env use on or the other.
hope this helps
have fun
Andrea
Sorry Andrea I've been reading your last post but I'm a bit confused, I've been editing this reply many times :)
Why do you say I should create one rule with ssl inspection profile and WebFilter (URLscan) profile and another one with all the other UTM profiles (Antivirus, Application Control..) ? No one rule with WebFilter, Application Control, Antivirus, SSL inspection.. all together ? Then Antivirus and Application Control profiles cannot get benefits by ssl inspection profile with no SSL Proxy Cert on the Client ? Actually many applications use HTTPS protocol.
Be patient :)
By the way, how can I get SSL Proxy Cert from Fortigate to install on the client ?
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
Thanks Andrea very useful.
As it is now I have one rule with all profiles enabled for all destination protocols (of course not all but http,https,ftp,smtp,smtps,PPTP..).
Better one rule only for protocols http/https with only webfilter and ssl-inspection profiles enabled and another rule for all the protocols (included http/https) with webfilter and ssl-inspection profiles disabled but antivirus, application control and IPS enabled ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.