AnsweredHot!SSL Deep Inspection

Author
Pizzaman7
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/27 12:50:38
  • Status: offline
2018/11/27 13:09:49 (permalink)
0

SSL Deep Inspection

Hi,
 
I am new to Fortigate.  I have a 30E that I have been working on.  I upgraded it to the latest 6.0.3 Firmware level.
 
I am trying to ascertain if using SSL Deep Inspection is a better option than the default without putting too high of a strain on the unit.  It might be better for Anti-Spam as I have an internal e-mail server.  I am not sure how good the Anti-spam is working yet as I am using the default SSL Inspection and did tie it to my firewall policies.
 
For the Certificate I am just using the internally self-signed certificate and don't plan on getting one from a public CA and paying for it.  I can use Group Policy to distribute it to my machines.  I do have an internal CA.  I did do this when I was a Sophos house.  Thanks in advance for any assistance you can grant me.
#1
bmorris
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/10/23 02:38:31
  • Status: offline
Re: SSL Deep Inspection 2018/12/07 03:20:15 (permalink) ☼ Best Answerby Pizzaman7 2018/12/17 01:09:22
0
Hi,
 
I'd always go for deep inspection over certificate inspection where possible, better protection from encrypted traffic.
 
What resource usage do you have on your device at the moment? Conserve mode activates at 88% memory usage so bear that in mind when you enable it. Enabling deep inspection will increase resource usage.
#2
Pizzaman7
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/27 12:50:38
  • Status: offline
Re: SSL Deep Inspection 2018/12/17 01:21:06 (permalink)
0
I have implemented the SSL Deep Scan and am glad I did.  The unit is hovering around 70-72% RAM utilization so it hasn't been a big impact.  It's about what it was before.  CPU is very low and running fine.
 
I also have SSL Deep Scan on some of my incoming policies as I have an on-premise e-mail server.
 
What I have to figure out is that the certificate on the Fortigate has been deployed via Group Policy and I can see it but most browsers have issues with SSL-based traffic.  Firefox requires its own installation of the certificate so it is the only browser truly working.  I have a FSO/SSO connection to my AD Server on the Fortigate and I have created some groups with the AD Users but I don't think the Fortigate can sense who is logged into a system.  My Firewall policies just have "All" and I don't think I have true user based web filtering working yet.  Still though other browsers shouldn't have this many issues.  Thanks.
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5