Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: ssl inspection and Fortigate certificate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl inspection and Fortigate certificate
Hello,
I have FortiOS 5.0.11 but it is not still clear how it works. It has been enabled HTTPS inspection with CA sertificate (Fortinet_CA_SSL_Proxy) but on web filter profile scan encrypted connections is not configured. I can't understand why actually scan encrypted connections is disabled. Maybe a lot of traffic can't be scanned because of this ? Maybe also application control could benefit from enabling scan encrypted connections ? Another question is about the way Fortigate use it's own certificate for ssl inspection.
Can Fortigate work as man in the middle to deep scan HTTPS traffic ?
Regards
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
based on 5.0.x following:
You have two possibilities to work with HTTPS and Webfiltering:
1. Solution "URL SCAN Only"
This solution works with a ssh/ssl inspection profile which means within this profile "only" https 443 is enabled and added to the corresponding Firewall Policy Rule which allows https only meaning internal to wan https allow. Within this policy you add a WebFilter profile which DOES NOT USE the position "scan encrypted connections". Addtional on CLI for this WebFilter profile you have to change following:
# config webfilter profile
[LEFT]# edit [Name of the WebFilter profile][/LEFT]# set options https-url-scan
# end
# end
If you add now both the WebFitler and the ssh/ssl inspection profile to the internal to wan https allow following happens:
If a user is accessing over https facebook.com the FGT is examing the CN of the Certificat and uses this CN (Common Name of the Cert) to be checked agains your WebFilter categorisation and allows or blocks the access. This means this check is NOT A DEEP Inspection only a check agains CN of Certificate used agains categorisation of WebFiler. At least it has to be stated "it can work but must not" this means: If a Cert example facebook.com is using a Wildcard Cert *.facebook.com you can not differ between app.facebook.com and www.facebook.com. You can only check agains *.facebook.com. This possibility is usable for small envs. because it DOES NOT NEED a Cert on the Client which plays "man of the middle".
2. Solution "Full Deep Inspection".
For this solution you have to configure follwoing:
- ssl/ssh inspection profile and activate whatever port you need example https
- WebFilter with activated position "scan encrypted connections"
- Certificate on the client from FGT SSL-Proxy Cert
In this way if you use both WebFilter and ssl/ssh insepction on a rule internal to wan https allow the FGT plays "man in the middle" and does full inspection as long as you have the SSL-Proxy Cert from FGT on the client. Of course in this constellation you can do for whatever protocoll meaning https etc. full deep inspection including Antivirus, DLP, Application Control etc. Keep in mind that this work is for the FGT a huge impact on performance and I would NOT recommend it for smaller device as 100D. It works for smaller devices but performance decreasement is not this what I would like to have :) Keep also in mind that on FGT based on 5.0.x the default Cert is worldwide the same. This was changed in FGT 5.2.x.
Hope this helps to show you the two possibilites on doing deep inspection or/and url scan only. Keep in mind that for 5.2.x the system changed this means for URL scan only you have for 5.2.x configure following:
- ssl/ssh inspection profile set as Multiple clients to multiple server and Certificate Inspection activated (https 443 will be greyed out to indicate Certificate Inspection)
- WebFilter profile nothing special because the "scan encrypted connections" are gone (use normal WebFilter nothing special).
thats it......hope this helps.
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that is really useful to better understand. However even though I presume my configuration falls into your first example but actually I have ssl inspection enabled even though scan encrypted connections option is not enabled.
I have a webfilter policy named web-policy,
edit "web-policy" set comment '' set replacemsg-group '' set inspection-mode proxy set options https-url-scan set https-replacemsg enable set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override set post-action normal
I have deep inspection option profile named ssl-inspection where only https is enabled,
edit "ssl-inspection" set comment '' config ssl set inspect-all disable set allow-invalid-server-cert disable set ssl-ca-list disable end config https set ports 443 set status enable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ssh set ports 22 set status disable set inspect-all disable unset block unset log end set caname "Fortinet_CA_SSLProxy" set certname "Fortinet_SSLProxy" set extended-utm-log disable
Then I have a firewall identity based policy with antivirus, application control, intrusion protection and .. mostly important deep inspection / webfilter policy enabled,
..
set av-profile "default" set webfilter-profile "web-policy" set spamfilter-profile '' set dlp-sensor '' set ips-sensor "intrusion-protection" set application-list "application-policy" set voip-profile '' set icap-profile '' set profile-protocol-options "default" set deep-inspection-options "ssl-inspection" ..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
your fault is that you mix up deep inspection and/or url scan only which means you can not use in ONE rule deep inspection and/or url scan only. Remove https from this policy and put it with you ssl inspection profile to a seperate rule which means one rule with https is doing with your ssl inspection profile AND webfilter profile certification inspection based on https. The other rule -as long as the clients have the SSL Proxy Cert installed- is doing deep inspection for UTM like Antivirus etc.
At least I have to say this what you are doing makes for me no sense which means:
- Do URL Scan only with Certification Inspection for HTTPS WebFilter only and the other stuff is not inspected by deep inspection
- Do Full Deep Inspection for whatever but keep in mind to install the SSL Proxy Cert on the Client
Do not mix up for one env use on or the other.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry Andrea I've been reading your last post but I'm a bit confused, I've been editing this reply many times :)
Why do you say I should create one rule with ssl inspection profile and WebFilter (URLscan) profile and another one with all the other UTM profiles (Antivirus, Application Control..) ? No one rule with WebFilter, Application Control, Antivirus, SSL inspection.. all together ? Then Antivirus and Application Control profiles cannot get benefits by ssl inspection profile with no SSL Proxy Cert on the Client ? Actually many applications use HTTPS protocol.
Be patient :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, how can I get SSL Proxy Cert from Fortigate to install on the client ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reply loop :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Andrea very useful.
As it is now I have one rule with all profiles enabled for all destination protocols (of course not all but http,https,ftp,smtp,smtps,PPTP..).
Better one rule only for protocols http/https with only webfilter and ssl-inspection profiles enabled and another rule for all the protocols (included http/https) with webfilter and ssl-inspection profiles disabled but antivirus, application control and IPS enabled ?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,738 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1732 | |
| 1105 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.