Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Using the default deep-inspection profile

  1. Go to System > Feature Visibility and ensure Multiple Security Profiles is enabled.

  2. Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.
  3. In the Security Profiles section, enable Web Filter and use the default profile.

    SSL/SSH Inspection is enabled by default. Select the deep-inspection profile.

    Using the deep-inspection profile, FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. FortiGate then re-encrypts the content, creates a new SSL session between FortiGate and the recipient by impersonating the sender, and sends the content to the sender.

  4. Browse to google.ca.

    This example uses Mozilla Firefox. An error appears that you cannot bypass.

    This error occurs because Firefox uses certificate pinning (also called SSL pinning or public key pinning). This allows Firefox to determine that the certificate from the website does not match one belonging to Google. Because of this, Firefox believes that a “man in the middle” attack is occurring and blocks you from the compromised website.

Using the default deep-inspection profile

  1. Go to System > Feature Visibility and ensure Multiple Security Profiles is enabled.

  2. Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.
  3. In the Security Profiles section, enable Web Filter and use the default profile.

    SSL/SSH Inspection is enabled by default. Select the deep-inspection profile.

    Using the deep-inspection profile, FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. FortiGate then re-encrypts the content, creates a new SSL session between FortiGate and the recipient by impersonating the sender, and sends the content to the sender.

  4. Browse to google.ca.

    This example uses Mozilla Firefox. An error appears that you cannot bypass.

    This error occurs because Firefox uses certificate pinning (also called SSL pinning or public key pinning). This allows Firefox to determine that the certificate from the website does not match one belonging to Google. Because of this, Firefox believes that a “man in the middle” attack is occurring and blocks you from the compromised website.