- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ssl inspection and Fortigate certificate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl inspection and Fortigate certificate
Hello,
I have FortiOS 5.0.11 but it is not still clear how it works. It has been enabled HTTPS inspection with CA sertificate (Fortinet_CA_SSL_Proxy) but on web filter profile scan encrypted connections is not configured. I can't understand why actually scan encrypted connections is disabled. Maybe a lot of traffic can't be scanned because of this ? Maybe also application control could benefit from enabling scan encrypted connections ? Another question is about the way Fortigate use it's own certificate for ssl inspection.
Can Fortigate work as man in the middle to deep scan HTTPS traffic ?
Regards
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
based on 5.0.x following:
You have two possibilities to work with HTTPS and Webfiltering:
1. Solution "URL SCAN Only"
This solution works with a ssh/ssl inspection profile which means within this profile "only" https 443 is enabled and added to the corresponding Firewall Policy Rule which allows https only meaning internal to wan https allow. Within this policy you add a WebFilter profile which DOES NOT USE the position "scan encrypted connections". Addtional on CLI for this WebFilter profile you have to change following:
# config webfilter profile
[LEFT]# edit [Name of the WebFilter profile][/LEFT]# set options https-url-scan
# end
# end
If you add now both the WebFitler and the ssh/ssl inspection profile to the internal to wan https allow following happens:
If a user is accessing over https facebook.com the FGT is examing the CN of the Certificat and uses this CN (Common Name of the Cert) to be checked agains your WebFilter categorisation and allows or blocks the access. This means this check is NOT A DEEP Inspection only a check agains CN of Certificate used agains categorisation of WebFiler. At least it has to be stated "it can work but must not" this means: If a Cert example facebook.com is using a Wildcard Cert *.facebook.com you can not differ between app.facebook.com and www.facebook.com. You can only check agains *.facebook.com. This possibility is usable for small envs. because it DOES NOT NEED a Cert on the Client which plays "man of the middle".
2. Solution "Full Deep Inspection".
For this solution you have to configure follwoing:
- ssl/ssh inspection profile and activate whatever port you need example https
- WebFilter with activated position "scan encrypted connections"
- Certificate on the client from FGT SSL-Proxy Cert
In this way if you use both WebFilter and ssl/ssh insepction on a rule internal to wan https allow the FGT plays "man in the middle" and does full inspection as long as you have the SSL-Proxy Cert from FGT on the client. Of course in this constellation you can do for whatever protocoll meaning https etc. full deep inspection including Antivirus, DLP, Application Control etc. Keep in mind that this work is for the FGT a huge impact on performance and I would NOT recommend it for smaller device as 100D. It works for smaller devices but performance decreasement is not this what I would like to have :) Keep also in mind that on FGT based on 5.0.x the default Cert is worldwide the same. This was changed in FGT 5.2.x.
Hope this helps to show you the two possibilites on doing deep inspection or/and url scan only. Keep in mind that for 5.2.x the system changed this means for URL scan only you have for 5.2.x configure following:
- ssl/ssh inspection profile set as Multiple clients to multiple server and Certificate Inspection activated (https 443 will be greyed out to indicate Certificate Inspection)
- WebFilter profile nothing special because the "scan encrypted connections" are gone (use normal WebFilter nothing special).
thats it......hope this helps.
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that is really useful to better understand. However even though I presume my configuration falls into your first example but actually I have ssl inspection enabled even though scan encrypted connections option is not enabled.
I have a webfilter policy named web-policy,
edit "web-policy" set comment '' set replacemsg-group '' set inspection-mode proxy set options https-url-scan set https-replacemsg enable set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override set post-action normal
I have deep inspection option profile named ssl-inspection where only https is enabled,
edit "ssl-inspection" set comment '' config ssl set inspect-all disable set allow-invalid-server-cert disable set ssl-ca-list disable end config https set ports 443 set status enable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert disable set ssl-ca-list disable end config ssh set ports 22 set status disable set inspect-all disable unset block unset log end set caname "Fortinet_CA_SSLProxy" set certname "Fortinet_SSLProxy" set extended-utm-log disable
Then I have a firewall identity based policy with antivirus, application control, intrusion protection and .. mostly important deep inspection / webfilter policy enabled,
..
set av-profile "default" set webfilter-profile "web-policy" set spamfilter-profile '' set dlp-sensor '' set ips-sensor "intrusion-protection" set application-list "application-policy" set voip-profile '' set icap-profile '' set profile-protocol-options "default" set deep-inspection-options "ssl-inspection" ..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
your fault is that you mix up deep inspection and/or url scan only which means you can not use in ONE rule deep inspection and/or url scan only. Remove https from this policy and put it with you ssl inspection profile to a seperate rule which means one rule with https is doing with your ssl inspection profile AND webfilter profile certification inspection based on https. The other rule -as long as the clients have the SSL Proxy Cert installed- is doing deep inspection for UTM like Antivirus etc.
At least I have to say this what you are doing makes for me no sense which means:
- Do URL Scan only with Certification Inspection for HTTPS WebFilter only and the other stuff is not inspected by deep inspection
- Do Full Deep Inspection for whatever but keep in mind to install the SSL Proxy Cert on the Client
Do not mix up for one env use on or the other.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry Andrea I've been reading your last post but I'm a bit confused, I've been editing this reply many times :)
Why do you say I should create one rule with ssl inspection profile and WebFilter (URLscan) profile and another one with all the other UTM profiles (Antivirus, Application Control..) ? No one rule with WebFilter, Application Control, Antivirus, SSL inspection.. all together ? Then Antivirus and Application Control profiles cannot get benefits by ssl inspection profile with no SSL Proxy Cert on the Client ? Actually many applications use HTTPS protocol.
Be patient :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, how can I get SSL Proxy Cert from Fortigate to install on the client ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reply loop :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the Cert for the client you can get from Forti Gui under Certificates you will see there a Proxy Cert to be downloaded and to be installed on the client as trusted certificate. You can push this cert to the clients over group policy but do not ask how you have to do it I'm a unix guy nothing to do with Windows stuff :)
Regarding deep inspection and url scan following:
As I said first thing you should decide for your installation is:
- Will I look deep in every information flying through the Forti? If yes go for deep inspection
- Will I look not deep in every information flying through the Forti? If yes go for url scan only and nothing else (https only and every encrypted connection can not be examined).
From this point of view why you should not mix up in one rule deep inspection and url scan only is easy....under 5.2 this would not work because url scan only is under 5.2 defined in the deep inspection profile as certificate inspection. If you use this profile it would not work anymore for antivirus etc. from this point of view this is the reason you should not mix up both systems. From my point of view if you do deep inspection do following:
- Create a deep inspection profile for the related ports like https, smtps etc.
- Create a webfilter profile WITHOUT url scan only and look that within the webfilter profile you activate "scan encypted connections)
- Create rules for whatever and use for encrypted ports like https etc. the deep inspection profiles etc. with webfilter NOT on url scan only etc. You can add to this rule antivirus etc. whatever you like
- At least look that on EVERY client the Proxy Client Cert from the Forti is installed under trusted container cert. Keep in mind that this is neccessary for EVERY client which uses access to internet over Forti like servers, mobile devices etc. etc. etc.
IF you go NOT for deep insepction use on the https rule the deep inspection configured for 443 only and use the webfilter set as url scan only and "scan encrypted connections" not activated. Use only deep inspection profile and webfilter only no Antivirus or whatever. For every other rule -if you go not for deep inspection" use only protocol options and related antivirus or application control etc. because encrypted connections can not in this way examined.
hope this helsp
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Andrea very useful.
As it is now I have one rule with all profiles enabled for all destination protocols (of course not all but http,https,ftp,smtp,smtps,PPTP..).
Better one rule only for protocols http/https with only webfilter and ssl-inspection profiles enabled and another rule for all the protocols (included http/https) with webfilter and ssl-inspection profiles disabled but antivirus, application control and IPS enabled ?
Related Posts
Labels
-
FortiGate
6,519 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.