Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Baboda
New Contributor

ssl inspection and Fortigate certificate

Hello,

I have FortiOS 5.0.11 but it is not still clear how it works. It has been enabled HTTPS inspection with CA sertificate (Fortinet_CA_SSL_Proxy) but on web filter profile scan encrypted connections is not configured. I can't understand why actually scan encrypted connections is disabled. Maybe a lot of traffic can't be scanned because of this ? Maybe also application control could benefit from enabling scan encrypted connections ? Another question is about the way Fortigate use it's own certificate for ssl inspection.

 

Can Fortigate work as man in the middle to deep scan HTTPS traffic ?

 

Regards

1 Solution
AndreaSoliva
Contributor III

Hi

 

the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)

 

Regarding deep inspection and url scan following:

 

As I said first thing you should decide for your installation is:

 

- Will I look deep in every information flying through the Forti? If yes go for deep inspection

- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).

 

From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:

 

- Create a deep inspection profile for the related ports like https, smtps etc.

- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)

- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like

- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.

 

IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.

 

hope this helsp

 

have fun

 

Andrea

View solution in original post

8 REPLIES 8
AndreaSoliva
Contributor III

Hi

 

based on 5.0.x following:

 

You have two possibilities to work with HTTPS and Webfiltering:

 

1. Solution "URL SCAN Only"

This solution works with a ssh/ssl inspection profile which means within this profile "only" https 443 is enabled and added to the corresponding Firewall Policy Rule which allows https only meaning internal to wan https allow. Within this policy you add a WebFilter profile which DOES NOT USE the position "scan encrypted connections". Addtional on CLI for this WebFilter profile you have to change following:

 

# config webfilter profile

[LEFT]# edit [Name of the WebFilter profile][/LEFT]

# set options https-url-scan

# end

# end

 

If you add now both the WebFitler and the ssh/ssl inspection profile to the internal to wan https allow following happens:

If a user is accessing over https facebook.com the FGT is examing the CN of the Certificat and uses this CN (Common Name of the Cert) to be checked agains your WebFilter categorisation and allows or blocks the access. This means this check is NOT A DEEP Inspection only a check agains CN of Certificate used agains categorisation of WebFiler. At least it has to be stated "it can work but must not" this means: If a Cert example facebook.com is using a Wildcard Cert *.facebook.com you can not differ between app.facebook.com and www.facebook.com. You can only check agains *.facebook.com. This possibility is usable for small envs. because it DOES NOT NEED a Cert on the Client which plays "man of the middle".

 

2. Solution "Full Deep Inspection".

For this solution you have to configure follwoing:

     - ssl/ssh inspection profile and activate whatever port you need example https

     - WebFilter with activated position "scan encrypted connections"

     - Certificate on the client from FGT SSL-Proxy Cert

In this way if you use both WebFilter and ssl/ssh insepction on a rule internal to wan https allow the FGT plays "man in the middle" and does full inspection as long as you have the SSL-Proxy Cert from FGT on the client. Of course in this constellation you can do for whatever protocoll meaning https etc. full deep inspection including Antivirus, DLP, Application Control etc. Keep in mind that this work is for the FGT a huge impact on performance and I would NOT recommend it for smaller device as 100D. It works for smaller devices but performance decreasement is not this what I would like to have :) Keep also in mind that on FGT based on 5.0.x the default Cert is worldwide the same. This was changed in FGT 5.2.x.

 

Hope this helps to show you the two possibilites on doing deep inspection or/and url scan only. Keep in mind that for 5.2.x the system changed this means for URL scan only you have for 5.2.x configure following:

 

- ssl/ssh inspection profile set as Multiple clients to multiple server and Certificate Inspection activated (https 443 will be greyed out to indicate Certificate Inspection)

- WebFilter profile nothing special because the "scan encrypted connections" are gone (use normal WebFilter nothing special).

 

thats it......hope this helps.

 

have fun

 

Andrea

Baboda
New Contributor

Thanks that is really useful to better understand. However even though I presume my configuration falls into your first example but actually I have ssl inspection enabled even though scan encrypted connections option is not enabled.

 

I have a webfilter policy named web-policy,

 

    edit "web-policy"         set comment ''         set replacemsg-group ''         set inspection-mode proxy         set options https-url-scan         set https-replacemsg enable         set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override         set post-action normal

I have deep inspection option profile named ssl-inspection where only https is enabled,

 

    edit "ssl-inspection"         set comment ''             config ssl                 set inspect-all disable                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config https                 set ports 443                 set status enable                 set client-cert-request bypass                 set unsupported-ssl bypass                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config ftps                 set ports 990                 set status disable                 set client-cert-request bypass                 set unsupported-ssl bypass                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config imaps                 set ports 993                 set status disable                 set client-cert-request inspect                 set unsupported-ssl bypass                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config pop3s                 set ports 995                 set status disable                 set client-cert-request inspect                 set unsupported-ssl bypass                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config smtps                 set ports 465                 set status disable                 set client-cert-request inspect                 set unsupported-ssl bypass                 set allow-invalid-server-cert disable                 set ssl-ca-list disable             end             config ssh                 set ports 22                 set status disable                 set inspect-all disable                 unset block                 unset log             end         set caname "Fortinet_CA_SSLProxy"         set certname "Fortinet_SSLProxy"         set extended-utm-log disable

Then I have a firewall identity based policy with antivirus, application control, intrusion protection and .. mostly important deep inspection / webfilter policy enabled,

 

                    ..

                    set av-profile "default"                     set webfilter-profile "web-policy"                     set spamfilter-profile ''                     set dlp-sensor ''                     set ips-sensor "intrusion-protection"                     set application-list "application-policy"                     set voip-profile ''                     set icap-profile ''                     set profile-protocol-options "default"                     set deep-inspection-options "ssl-inspection"                     ..

 

 

 

AndreaSoliva
Contributor III

Hi

 

your fault is that you mix up deep inspection and/or url scan only which means you can not use in ONE rule deep inspection and/or url scan only. Remove https from this policy and put it with you ssl inspection profile to a seperate rule which means one rule with https is doing with your ssl inspection profile AND webfilter profile certification inspection based on https. The other rule -as long as the clients have the SSL Proxy Cert installed- is doing deep inspection for UTM like Antivirus etc.

 

At least I have to say this what you are doing makes for me no sense which means:

 

- Do URL Scan only with Certification Inspection for HTTPS WebFilter only and the other stuff is not inspected by deep inspection

- Do Full Deep Inspection for whatever but keep in mind to install the SSL Proxy Cert on the Client

 

Do not mix up for one env use on or the other.

 

hope this helps

 

have fun

 

Andrea

Baboda

Sorry Andrea I've been reading your last post but I'm a bit confused, I've been editing this reply many times :)

 

Why do you say I should create one rule with ssl inspection profile and WebFilter (URLscan) profile and another one with all the other UTM profiles (Antivirus, Application Control..) ? No one rule with WebFilter, Application Control, Antivirus, SSL inspection.. all together ? Then Antivirus and Application Control profiles cannot get benefits by ssl inspection profile with no SSL Proxy Cert on the Client ? Actually many applications use HTTPS protocol.

 

Be patient :)

Baboda

By the way, how can I get SSL Proxy Cert from Fortigate to install on the client ?

Baboda

reply loop :)
AndreaSoliva
Contributor III

Hi

 

the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)

 

Regarding deep inspection and url scan following:

 

As I said first thing you should decide for your installation is:

 

- Will I look deep in every information flying through the Forti? If yes go for deep inspection

- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).

 

From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:

 

- Create a deep inspection profile for the related ports like https, smtps etc.

- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)

- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like

- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.

 

IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.

 

hope this helsp

 

have fun

 

Andrea

Baboda
New Contributor

Thanks Andrea very useful.

 

As it is now I have one rule with all profiles enabled for all destination protocols (of course not all but http,https,ftp,smtp,smtps,PPTP..).

Better one rule only for protocols http/https with only webfilter and ssl-inspection profiles enabled and another rule for all the protocols (included http/https) with webfilter and ssl-inspection profiles disabled but antivirus, application control and IPS enabled ?

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors