Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xyler
New Contributor

SSL Read-Only Inspection Questions

Hello,

 

I've noticed in the SSL Inspection rules that the default is read only, but while surfing the web, I notice certain sites were having their certs re-written with Fortinet's Cert. One such site was the Canadian Ontario site lcbo.com. I noticed it was happening with my personal website too. My own site uses Let's Encrypt as it's CA, and lcbo is using COMODO. I can understand the Let's Encrypt, because it's possible Fortinet doesn't "trust" Let's Encrypt, but Comodo should be trusted, no?

 

Or am I not understanding the SSL Inspection default rule?

4 REPLIES 4
emnoc
Esteemed Contributor III

Okay let's define "readonly", that is a non-modify pre-can profile. It uses "

"Fortinet_CA_SSL"  by default? It does deep-inspection.

 

If you are doing deep inspection that means, you are inspecting and removing SSL/TLS to inspect. If you are doing "certificate" your only inspecting SSL/TLS hand-shakes?

 

So what are you using? Does it sound like deep inspection? Also check for any  SSL-exceptions "

   config ssl-exempt"

 

Ken Felix

.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Xyler
New Contributor

emnoc wrote:

Okay let's define "readonly", that is a non-modify pre-can profile. It uses "

"Fortinet_CA_SSL"  by default? It does deep-inspection. If you are doing deep inspection that means, you are inspecting and removing SSL/TLS to inspect. If you are doing "certificate" your only inspecting SSL/TLS hand-shakes? So what are you using? Does it sound like deep inspection? Also check for any  SSL-exceptions "   config ssl-exempt" Ken Felix. Ken Felix 

 

So I realised a little after posting two things:

 

1: That "Read-Only" meant that I couldn't edit it, not that it only read the certificate.

 

2: I hadn't upgraded to 6.2. The Fortinet was still on 6.0. 6.2 has a "Don't inspect at all" profile.

 

In any case, I mainly wanted to just do Web and DNS inspection to make sure that the sites visited weren't bad/malicious sites, not to do deep inspection of SSL traffic. I didn't want the Fortinet to re-sign the certs at all, and for the most part, the default one didn't... but on a few sites, it did, even if I didn't want it too.

 

I'm sort of new to Firewalls and such, so I don't know if I am explaining this correctly...

emnoc
Esteemed Contributor III

Oky sure, I just want you to realize ( and you did ) that read-only is the default in FortiOS. So you probably only need webfiltering and category checking. I would look at the cookbook and start at that point and add on to your inventory of threat protection.

 

{ securitty-profiles}

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680955/security-profiles

 

 

Ken Felix

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
metz_FTNT
Staff
Staff

"certs re-written with Fortinet's Cert" -> which fortinet cert it is re-signed with ? There are 2 options:

 

1. Fortinet_CA -> this will happen either if you have deep-inspection profile applied OR if replacement message needs to be delivered to the client e.g. blocked page message, warning page and so on...

 

2. Fortinet Untrusted CA will be used if the server certificate is signed by untrusted CA or it is expired, certificate chain is incomplete and so on, check the server in ssllabs.com for such issues.

It depends on the firmware versions, but in the majority all Public known CAs are trusted, including Let's Encrypt.

Labels
Top Kudoed Authors