Hot!Testing SSL Deep Inspection

Author
ag611
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/04 07:23:24
  • Status: offline
2018/07/04 13:42:28 (permalink)
0

Testing SSL Deep Inspection

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.
I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.
 
I've created an IPV4 policy under "data (internal1) -> SD-WAN":
  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection
But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.
Is there something wrong with my policy that's causing it to not produce errors on this workstation?
 
When I look at traffic logs, I can see that my policy, #24, is applying.
#1

3 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4890
    • Scores: 300
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/04 14:52:28 (permalink)
    0
    I  wrote this up as a sure 100%  way to  know SSL inspection
    http://socpuppet.blogspot.com/2018/05/av-with-https-inspection-fortios.html
     
    But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow
     
    Ken Felix

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    ede_pfau
    Expert Member
    • Total Posts : 5591
    • Scores: 376
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/05 03:03:15 (permalink)
    0
    Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    ag611
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/04 07:23:24
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/05 05:42:15 (permalink)
    0
    Enable SSL Inspection of: Multiple clients connecting to multiple servers
     
    Inspection method: Full
     
    CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)
     
    Untrusted SSL Certificates: Allow
     
    RPC over HTTPS: Disabled
     
    Inspecting HTTPS, SMTPS, POP3S, IMAPS, FTPS
     
    Exempt from SSL Inspection: reputable websites disabled.
     
    Allow invalid ssl certificates: disabled
     
    Log SSL anomalies: enabled
    #4
    Jump to:
    © 2018 APG vNext Commercial Version 5.5