Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paulbrock
New Contributor III

certificate inspection vs full deep inspection

Hi Everyone,

I was wondering if anyone could explain the pros and cons of the two methods of SSl inspection

Certificate Inspection and Full deep Inspection.

I read the technical comment how

certificate-inspection which only inspects the SSL handshake,

and

deep inspection enables full deep inspection.

What I would like to know is if I implement one solution does it have limitations , i.e  blocking  or something similar

Why have two methods ?

Many Thanks in advance

 

Paul

1 Solution
Dave_Hall
Honored Contributor

One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection.  This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.

 

One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites,  such as Youtube (which uses *.google.com certificate).

 

Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings.  You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.

 

Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.

 

IMHO.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
2 REPLIES 2
Dave_Hall
Honored Contributor

One Pro for cert inspection is it doesn't involve needing to install a security certificate on workstation computers to avoid the certification warning that comes with implementing deep inspection.  This is/was the Fortigate's original method of detecting web traffic on HTTPS and takes up less resources than deep inspection.

 

One con for cert inspection is it is does not recognize sites/domains that use the same wildcard *. security certificate as other sites,  such as Youtube (which uses *.google.com certificate).

 

Pro for Deep inspection is it works well with detecting any URL access on HTTPS; but to get it to work, the Fortigate plays a MITM by substituting it's own security certificate in order to peek into the encrypted SSL tunnel between a client computer and the target website -- This is why you get those cert warnings.  You need to either install the Fortigate's cert on client computers or install a custom cert on both the client computers and Fortigate.

 

Personally, I would go with deep inspection, but circumstances often dictate otherwise: e.g. Fortigate doesn't support it or not powerful enough, client doesn't have the resources (IT personnel or network infrastructure) to implement it.

 

IMHO.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
paulbrock
New Contributor III

A Huge Thankyou to Dave for taking the time to fully explain

Regards

Paul

Labels
Top Kudoed Authors