Hot!Testing SSL Deep Inspection

Author
ag611
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/04 07:23:24
  • Status: offline
2018/07/04 13:42:28 (permalink)
0

Testing SSL Deep Inspection

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.
I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.
 
I've created an IPV4 policy under "data (internal1) -> SD-WAN":
  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection
But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.
Is there something wrong with my policy that's causing it to not produce errors on this workstation?
 
When I look at traffic logs, I can see that my policy, #24, is applying.
#1

4 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5066
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/04 14:52:28 (permalink)
    0
    I  wrote this up as a sure 100%  way to  know SSL inspection
    http://socpuppet.blogspot.com/2018/05/av-with-https-inspection-fortios.html
     
    But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    ede_pfau
    Expert Member
    • Total Posts : 5723
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/05 03:03:15 (permalink)
    0
    Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    ag611
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/04 07:23:24
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/07/05 05:42:15 (permalink)
    0
    Enable SSL Inspection of: Multiple clients connecting to multiple servers
     
    Inspection method: Full
     
    CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)
     
    Untrusted SSL Certificates: Allow
     
    RPC over HTTPS: Disabled
     
    Inspecting HTTPS, SMTPS, POP3S, IMAPS, FTPS
     
    Exempt from SSL Inspection: reputable websites disabled.
     
    Allow invalid ssl certificates: disabled
     
    Log SSL anomalies: enabled
    #4
    mrhodes
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/27 12:41:12
    • Status: offline
    Re: Testing SSL Deep Inspection 2018/09/27 12:45:21 (permalink)
    0
    If I am not mistaken - applying SSH profile won't do anything on its own  - it only comes into play when another policy like Anti-virus or Web filter is also being looked at.  So you would also need your web filter policy applied to that rule for the SSH Inspection to occur when browsing to an Https site
    #5
    Jump to:
    © 2018 APG vNext Commercial Version 5.5