Hot!SSL Read-Only Inspection Questions

Author
Xyler
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/15 08:08:00
  • Status: offline
2019/10/15 08:19:42 (permalink) 6.2
0

SSL Read-Only Inspection Questions

Hello,
 
I've noticed in the SSL Inspection rules that the default is read only, but while surfing the web, I notice certain sites were having their certs re-written with Fortinet's Cert. One such site was the Canadian Ontario site lcbo.com. I noticed it was happening with my personal website too. My own site uses Let's Encrypt as it's CA, and lcbo is using COMODO. I can understand the Let's Encrypt, because it's possible Fortinet doesn't "trust" Let's Encrypt, but Comodo should be trusted, no?
 
Or am I not understanding the SSL Inspection default rule?
#1

4 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Read-Only Inspection Questions 2019/10/15 11:52:03 (permalink)
    0
    Okay let's define "readonly", that is a non-modify pre-can profile. It uses "
    "Fortinet_CA_SSL"  by default? It does deep-inspection.
     
    If you are doing deep inspection that means, you are inspecting and removing SSL/TLS to inspect. If you are doing "certificate" your only inspecting SSL/TLS hand-shakes?
     
    So what are you using? Does it sound like deep inspection? Also check for any  SSL-exceptions "
       config ssl-exempt"
     
    Ken Felix
    .
     
    Ken Felix
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    Xyler
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/15 08:08:00
    • Status: offline
    Re: SSL Read-Only Inspection Questions 2019/10/15 11:56:07 (permalink)
    0
    emnoc
    Okay let's define "readonly", that is a non-modify pre-can profile. It uses "
    "Fortinet_CA_SSL"  by default? It does deep-inspection. If you are doing deep inspection that means, you are inspecting and removing SSL/TLS to inspect. If you are doing "certificate" your only inspecting SSL/TLS hand-shakes? So what are you using? Does it sound like deep inspection? Also check for any  SSL-exceptions "   config ssl-exempt" Ken Felix. Ken Felix 
     




    So I realised a little after posting two things:
     
    1: That "Read-Only" meant that I couldn't edit it, not that it only read the certificate.
     
    2: I hadn't upgraded to 6.2. The Fortinet was still on 6.0. 6.2 has a "Don't inspect at all" profile.
     
    In any case, I mainly wanted to just do Web and DNS inspection to make sure that the sites visited weren't bad/malicious sites, not to do deep inspection of SSL traffic. I didn't want the Fortinet to re-sign the certs at all, and for the most part, the default one didn't... but on a few sites, it did, even if I didn't want it too.
     
    I'm sort of new to Firewalls and such, so I don't know if I am explaining this correctly...
    #3
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Read-Only Inspection Questions 2019/10/16 01:02:40 (permalink)
    0
    Oky sure, I just want you to realize ( and you did ) that read-only is the default in FortiOS. So you probably only need webfiltering and category checking. I would look at the cookbook and start at that point and add on to your inventory of threat protection.
     
    { securitty-profiles}
     
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680955/security-profiles
     
     
    Ken Felix
     
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    metz_FTNT
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/11/06 01:32:17
    • Status: offline
    Re: SSL Read-Only Inspection Questions 2019/11/06 01:40:02 (permalink)
    0
    "certs re-written with Fortinet's Cert" -> which fortinet cert it is re-signed with ? There are 2 options:
     
    1. Fortinet_CA -> this will happen either if you have deep-inspection profile applied OR if replacement message needs to be delivered to the client e.g. blocked page message, warning page and so on...
     
    2. Fortinet Untrusted CA will be used if the server certificate is signed by untrusted CA or it is expired, certificate chain is incomplete and so on, check the server in ssllabs.com for such issues.
    It depends on the firmware versions, but in the majority all Public known CAs are trusted, including Let's Encrypt.
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5