Description
UTM has two modes of operation: proxy or flow-based. Both modes support deep-inspection.
It is important to ensure that the SSL/SSH inspection profile is configured correctly for flow-based operation else it may not work as expected. There are two types of inspection mode for SSL/SSH inspection profile, this article will focus on "Full SSL Inspection", which is also known as deep inspection.
Scope
FortiOS v5.2.0 onwards
Solution
In SSL/SSH inspection profile, once the inspection method is configured for "Full SSL Inspection", there will be an option to "Inspect All Ports" or to only inspect certain commonly known SSL ports such as HTTPS, SMTPS, POP3s under the "Protocol Port Mapping" option.
If the UTM profile used is a proxy-based. then either option "Inspect All Ports" or only inspect certain port can be used. However for flow-based, "Inspect All Ports" must be selected else the SSL inspection may not work correctly. The reason is for proxy based, the FortiGate will actively proxy the whole connection and listens on certain ports, thus expecting 443 as HTTPS packet and so on.
However, this is not true for flow-based. Since flow-based is handled by IPSengine, when SSL is being negotiated, IPSengine will not know which protocol the SSL carries. Therefore, flow-based UTM will only work with the "Inspect All Ports" option if deep-inspection is needed.
