Hot!Disable SSL/SSH Inspection in FortiOS 5.6

Author
bcote
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/03 07:04:23
  • Status: offline
2017/05/12 12:58:47 (permalink)
0

Disable SSL/SSH Inspection in FortiOS 5.6

Hi all,
 
still in pre-production but I was wondering how I can turn off the now(since 5.6) forced SSL/SSH inspection. I know it is becoming more and more necessary, but for now, in our environment, it is causing us much more headaches than benefits. Eventually, we want to get there, but the time isn't now. I was told there is a way in the CLI to turn it off. I can't seem to find the right cookbook/Document explaining how. 
 
Anybody running 5.6 that might know where to look to get this turned off? All the info I can find dates back to 5.2 and the same commands don't apply to 5.6 anymore.
 
Any help will be greatly appreciated.

Ben
#1

5 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 676
    • Scores: 15
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: Disable SSL/SSH Inspection in FortiOS 5.6 2017/05/13 12:18:59 (permalink)
    0
    ssl cert inspection is hurting you? I'm running 5.6 and it isn't forcing deep inspection.

    Mike Pruett
    Fortinet GURU
    #2
    hmtay_FTNT
    Gold Member
    • Total Posts : 215
    • Scores: 28
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Disable SSL/SSH Inspection in FortiOS 5.6 2017/05/15 08:43:02 (permalink)
    0
    Hi Ben,
     
    There was another thread with the same question:
     
    https://forum.fortinet.com/tm.aspx?tree=true&m=148779&mpage=1
     
    In short: The basic certificate-inspection is not doing a MiTM. It only scans the SNI of the Client Hello and SSL Certificate. Thus, you will not run into any SSL errors or problems with decrypting the sessions. In the past, with the older FortiOS, when users can choose to disable it, it would cause signatures to not work on HTTPS sessions if disabled. 
     
    Let's say we add a rule "www.facebook.com". Without enabling at least certificate-inspection, the rule will not work on https://www.facebook.com.
     
    HoMing
    #3
    bcote
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/03 07:04:23
    • Status: offline
    Re: Disable SSL/SSH Inspection in FortiOS 5.6 2017/05/25 05:37:58 (permalink)
    0
    Hey guys,
     
    thanks for confirming this. I am planning a deployment for next weekend and it was one of the differences between my current installation and my new 1500D. I didn't want SSL Inspection to complicate the move to production. Ultimately, the goal will be to do Deep inspection at some point, simply not now.
     
    Thanks again,
     
    Ben
    #4
    gsarica
    Bronze Member
    • Total Posts : 60
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/28 13:23:52
    • Status: offline
    Re: Disable SSL/SSH Inspection in FortiOS 5.6 2017/05/25 06:17:26 (permalink)
    0
    5.6.0 completely broke deep inspection for us, it was working seamlessly on 5.4.3. I currently have a ticket open.
    #5
    bstevens
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/01/12 09:16:38
    • Status: offline
    Re: Disable SSL/SSH Inspection in FortiOS 5.6 2018/01/12 09:28:53 (permalink)
    0
    Upgraded from 5.4.x to 5.6.3 recently. Seemingly the forced SSL Inspection has wreaked havoc on web browsing.  Cert errors and web filter is now filtering out images that were not previously filtered.   If there is a way to turn off the forced ssl/ssh inspection I'd love to know as well.  At this point I'm not sure how to fix the issues short of turn off all Security profile options in the polices, which seems like a really bad fix.
    #6
    Jump to:
    © 2018 APG vNext Commercial Version 5.5