FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197210


UTM has two modes of operation: proxy or flow-based.  Both modes support deep-inspection.

It is important to ensure that the SSL/SSH inspection profile is configured correctly for flow-based operation else it may not work as expected.  There are two types of inspection mode for SSL/SSH inspection profile, this article will focus on "Full SSL Inspection", which is also known as deep inspection.


FortiOS v5.2.0 onwards


In SSL/SSH inspection profile, once the inspection method is configured for "Full SSL Inspection", there will be an option to "Inspect All Ports" or to only inspect certain commonly known SSL ports such as HTTPS, SMTPS, POP3s  under the "Protocol Port Mapping" option.

If the UTM profile used is a proxy-based. then either option "Inspect All Ports" or only inspect certain port can be used.  However for flow-based, "Inspect All Ports" must be selected else the SSL inspection may not work correctly. The reason is for proxy based, the FortiGate will actively proxy the whole connection and listens on certain ports, thus expecting 443 as HTTPS packet and so on.

However, this is not true for flow-based.  Since flow-based is handled by IPSengine, when SSL is being negotiated, IPSengine will not know which protocol the SSL carries.  Therefore, flow-based UTM will only work with the "Inspect All Ports" option if deep-inspection is needed.