Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ag611
New Contributor

Testing SSL Deep Inspection

I'm enabling SSL deep inspection for the first time, and would like to test it on a single workstation before deploying.

I have created a new SSL inspection profile called "prod-deep-inspection" and downloaded the certificate for it. Before I install the certificate I want to test and make sure this workstation shows errors in the browser.

 

I've created an IPV4 policy under "data (internal1) -> SD-WAN":

[ul]
  • Incoming interface: data (internal1)
  • Outgoing interface sd-wan
  • Source: [address object with static IP of workstation]
  • Destination: all
  • Schedule: always
  • Service: all
  • Action: accept
  • NAT: enabled
  • Proxy options: enabled/default
  • SSL Inspection: enabled/prod-deep-inspection[/ul]

    But when I browse on the workstation I don't get any certificate errors, and the browser shows the website certificate.

    Is there something wrong with my policy that's causing it to not produce errors on this workstation?

     

    When I look at traffic logs, I can see that my policy, #24, is applying.

  • 5 REPLIES 5
    emnoc
    Esteemed Contributor III

    I  wrote this up as a sure 100%  way to  know SSL inspection

    http://socpuppet.blogspot.com/2018/05/av-with-https-inspection-fortios.html

     

    But I would start by looking at the firewall ssl-inspection profile "prod-deep-inspection" and a diag debug flow

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    ede_pfau
    Esteemed Contributor III

    Which settings do you have set in Security Profiles > SSL Inspection, prod-deep-inspection ? Esp. do you scan all ports or just 443?


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    ag611
    New Contributor

    Enable SSL Inspection of: Multiple clients connecting to multiple servers

     

    Inspection method: Full

     

    CA Certificate: Fortinet_CA_SSL (the default certificate, I didn't change anything here)

     

    Untrusted SSL Certificates: Allow

     

    RPC over HTTPS: Disabled

     

    Inspecting HTTPS, SMTPS, POP3S, IMAPS, FTPS

     

    Exempt from SSL Inspection: reputable websites disabled.

     

    Allow invalid ssl certificates: disabled

     

    Log SSL anomalies: enabled

    mrhodes
    New Contributor

    If I am not mistaken - applying SSH profile won't do anything on its own  - it only comes into play when another policy like Anti-virus or Web filter is also being looked at.  So you would also need your web filter policy applied to that rule for the SSH Inspection to occur when browsing to an Https site

    Tom_Spelda
    New Contributor

    I am experiencing the same thing with my Fortigate 1200D.  Google has knowledge base article: https://support.google.com/chrome/a/answer/3504943?hl=en&ref_topic=3504941  

    where inside are useful tests for chromebooks and a note on how the chromebooks require a PEM based certificate.

    I opened a ticket with Fortinet support.

    Labels
    Top Kudoed Authors