Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jrp30506
New Contributor

SSL Deep Inspection

Good Morning All,

I was wondering if someone has ever implemented SSL deep inspection on an already well established rule and was able to complete the implementation successfully. I know the question may sound a bit trivial but I assure you, it is with good reason. 

I am looking at an issue where the rules that currently exist on the firewall (which is a Fortigate 500 series) are not doing deep inspection and therefore no policies are able to use full UTM features to check traffic content for threats (app control, waf, av etc). Therefore as a test,  I set up a deep inspection profile for a specific rule (incoming rule with VIP) that affected a specific group of user and a specific app. I created the virtual server/real server association, assigned that to the destination in the rule instead of the VIP, assigned the same cert that is bound to the real server's IIS bindings to the SSL inspection profile and had the users do some testing. They immediately began to ring the phones and say that their app longer worked. So I got some details and learned that when they reach the intended webpage they are typicaly prompted for an Okta login but with this inspection profile in place, that did not happen. 

 

I say all of that to ask this question (generally speaking of course). When undertaking this kind of project does anyone have any suggestions of things to be aware of that might bite you in the @$$ for deep inspection? Safe to assume that it is just a trail by fire thing and you have to just work every issue as it arises? If there is a more uniform way to do it, I would certainly like to hear about it.

 

I have several rules to do this on. The firewall admin didn't understand at the time the rules were created, that there was more to deep inspection than just selecting an inspection profile from the UTM features. 

Any advice and or pointers will be greatly apprecaited.

1 REPLY 1
ebilcari
Staff
Staff

It can be a bit tricky but not that hard to achieve. You can use SSL/TLS offloading feature even when you need to add SSL/TLS to plain HTTP pages or adding Load Balancing features if you have more than one server 

https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/713497/virtual-server-load-b...
or take a look at this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Inbound-SSL-Deep-Inspection/ta...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Labels
Top Kudoed Authors