Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall ssl-ssh-profile

Use this command to configure UTM deep inspection options profiles for firewall policies. Deep inspection options configure how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS. Client comforting options are controlled by the corresponding non-secure protocol options in firewall profile-protocol-options.

To configure the ssl-server, change client-cert-request from bypass.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config ssh

set ssh-policy-check {enable | disable}

set ssh-tun-policy-check {enable | disable}

next

...

Options to enable SSH proxy and SSH tunnel policy check .

When ssh-policy-check is enabled, proxy will check "SSH proxy" policy for SSH traffic and check "SSH tunnel" policy for TCP/IP port forwarding traffic.

config ssh

set unsupported-version {bypass | block}

next

...

Option to either bypass or block unsupported versions of SSH. Note that deep scan is only supported by SSH 2.0.

config ssh

set ssh-algorithm {compatible | high-encryption}

next

...

The level of SSH encryption can be set for SSH sessions on a per-profile basis.

Either use a broader set of encryption algorithms to be used (better for compatibility), or only allow AES-CTR, AES-GCM and high encryption algorithms to be used for the session.

config firewall ssl-ssh-profile
    edit {name}
    # Configure SSL/SSH protocol options.
        set name {string}   Name. size[35]
        set comment {string}   Optional comments. size[255]
        config ssl
            set inspect-all {disable | certificate-inspection | deep-inspection}   Level of SSL inspection.
                    disable                 Disable.
                    certificate-inspection  Inspect SSL handshake only.
                    deep-inspection         Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config https
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | certificate-inspection | deep-inspection}   Configure protocol inspection status.
                    disable                 Disable.
                    certificate-inspection  Inspect SSL handshake only.
                    deep-inspection         Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config ftps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config imaps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config pop3s
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config smtps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config ssh
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set inspect-all {disable | deep-inspection}   Level of SSL inspection.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set unsupported-version {bypass | block}   Action based on SSH version being unsupported.
                    bypass  Bypass the session.
                    block   Block the session.
            set ssh-policy-check {disable | enable}   Enable/disable SSH policy check.
            set ssh-tun-policy-check {disable | enable}   Enable/disable SSH tunnel policy check.
            set ssh-algorithm {compatible | high-encryption}   Relative strength of encryption algorithms accepted during negotiation.
                    compatible       Allow a broader set of encryption algorithms for best compatibility.
                    high-encryption  Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
        set whitelist {enable | disable}   Enable/disable exempting servers by FortiGuard whitelist.
        config ssl-exempt
            edit {id}
            # Servers to exempt from SSL inspection.
                set id {integer}   ID number. range[0-512]
                set type {option}   Type of address object (IPv4 or IPv6) or FortiGuard category.
                        fortiguard-category  FortiGuard category.
                        address              Firewall IPv4 address.
                        address6             Firewall IPv6 address.
                        wildcard-fqdn        Fully Qualified Domain Name with wildcard characters.
                        regex                Regular expression FQDN.
                set fortiguard-category {integer}   FortiGuard category ID. range[0-255]
                set address {string}   IPv4 address object. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set address6 {string}   IPv6 address object. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                set wildcard-fqdn {string}   Exempt servers by wildcard FQDN. size[63] - datasource(s): firewall.wildcard-fqdn.custom.name,firewall.wildcard-fqdn.group.name
                set regex {string}   Exempt servers by regular expression. size[255]
            next
        set server-cert-mode {re-sign | replace}   Re-sign or replace the server's certificate.
                re-sign  Multiple clients connecting to multiple servers.
                replace  Protect an SSL server.
        set use-ssl-server {disable | enable}   Enable/disable the use of SSL server table for SSL offloading.
        set caname {string}   CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name
        set untrusted-caname {string}   Untrusted CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name
        set server-cert {string}   Certificate used by SSL Inspection to replace server certificate. size[35] - datasource(s): vpn.certificate.local.name
        config ssl-server
            edit {id}
            # SSL servers.
                set id {integer}   SSL server ID. range[0-4294967295]
                set ip {ipv4 address any}   IPv4 address of the SSL server.
                set https-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the HTTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set smtps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the SMTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set pop3s-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the POP3S handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set imaps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the IMAPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set ftps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the FTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set ssl-other-client-cert-request {bypass | inspect | block}   Action based on client certificate request during an SSL protocol handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
            next
        set ssl-anomalies-log {disable | enable}   Enable/disable logging SSL anomalies.
        set ssl-exemptions-log {disable | enable}   Enable/disable logging SSL exemptions.
        set rpc-over-https {enable | disable}   Enable/disable inspection of RPC over HTTPS.
        set mapi-over-https {enable | disable}   Enable/disable inspection of MAPI over HTTPS.
    next
end

Additional information

The following section is for those options that require additional explanation.

allow-invalid-server-cert

During the SSL handshake, a number of checks are made to verify the validity of the certificate.

One source of the checks, is against a CA certificate store inside FortiOS. This is the same CA bundle used by the browser Mozilla Firefox.

Updates to the store are:

  • With each new version of FortiOS
  • Via internal FGD
  • Possible with some builds via FTP

Details of the CA certificate store can be found at: https://curl.haxx.se/docs/caextract.html

The following checks are made for validity:

Validity Check

Description

Signature

One of the things being checked against the CA bundle is the certificate signature. These signatures are generated via directly signing by the CA's private key.

Expiration date

All certificates have an expiry date. The date, based on the devices clock/calendar is compared to the expiry date of the certificate.

Revoked list

Periodically, certificates are revoked. If a certificate has been revoked it is put on a list. Whenever a certificate is being verified, it is checked against this list.

Self signed certificate

In the case of self-signed certificates, the IPS engine and proxy have different handling. IPS engine will keep and use the certificate self-signed certificate, but the public key will be replaced so that SSL inspection can take place. The proxy engine will re-sign the certificate with the untrusted CA certificate. The mechanics are similar but the net effect for the user is similar. The user will get warnings from browsers. The users can choose to remember the self-signed certificate in some browsers, but cannot do the same thing with the certificate re-signed with the untrusted CA.

Intermediate CA with a weak hash algorithm, such as MD5, SHA1

Some browsers like Chrome or Firefox will give a warning because of a weak signature algorithm (visit https://sha1-intermediate.badssl.com to test).

In the IPS Engine, in order to convey the weak intermediate CA back to client, the signature hash algorithm is downgraded in the re-signed server certificate to the weakest algorithm used in the original certificate chain.

In the Proxy Engine - In the case of a weak signature algorithm, the Proxy engine will treat the connection as untrusted, and re-sign the server certificate with the untrusted CA. The final user experience is different. Instead of a warning like "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM” that you would get in Chrome, you will get a warning that the certificate couldn’t be verified (because of the signing CA is not trusted or imported into the user’s web browser).

firewall ssl-ssh-profile

Use this command to configure UTM deep inspection options profiles for firewall policies. Deep inspection options configure how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS. Client comforting options are controlled by the corresponding non-secure protocol options in firewall profile-protocol-options.

To configure the ssl-server, change client-cert-request from bypass.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config ssh

set ssh-policy-check {enable | disable}

set ssh-tun-policy-check {enable | disable}

next

...

Options to enable SSH proxy and SSH tunnel policy check .

When ssh-policy-check is enabled, proxy will check "SSH proxy" policy for SSH traffic and check "SSH tunnel" policy for TCP/IP port forwarding traffic.

config ssh

set unsupported-version {bypass | block}

next

...

Option to either bypass or block unsupported versions of SSH. Note that deep scan is only supported by SSH 2.0.

config ssh

set ssh-algorithm {compatible | high-encryption}

next

...

The level of SSH encryption can be set for SSH sessions on a per-profile basis.

Either use a broader set of encryption algorithms to be used (better for compatibility), or only allow AES-CTR, AES-GCM and high encryption algorithms to be used for the session.

config firewall ssl-ssh-profile
    edit {name}
    # Configure SSL/SSH protocol options.
        set name {string}   Name. size[35]
        set comment {string}   Optional comments. size[255]
        config ssl
            set inspect-all {disable | certificate-inspection | deep-inspection}   Level of SSL inspection.
                    disable                 Disable.
                    certificate-inspection  Inspect SSL handshake only.
                    deep-inspection         Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config https
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | certificate-inspection | deep-inspection}   Configure protocol inspection status.
                    disable                 Disable.
                    certificate-inspection  Inspect SSL handshake only.
                    deep-inspection         Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config ftps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config imaps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config pop3s
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config smtps
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set client-cert-request {bypass | inspect | block}   Action based on client certificate request.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set unsupported-ssl {bypass | inspect | block}   Action based on the SSL encryption used being unsupported.
                    bypass   Bypass the session.
                    inspect  Inspect the session.
                    block    Block the session.
            set allow-invalid-server-cert {enable | disable}   When enabled, allows SSL sessions whose server certificate validation failed.
            set untrusted-cert {allow | block | ignore}   Allow, ignore, or block the untrusted SSL session server certificate.
                    allow   Allow the untrusted server certificate.
                    block   Block the connection when an untrusted server certificate is detected.
                    ignore  Always take the server certificate as trusted.
        config ssh
            set ports {integer}   Ports to use for scanning (1 - 65535, default = 443). range[1-65535]
            set status {disable | deep-inspection}   Configure protocol inspection status.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set inspect-all {disable | deep-inspection}   Level of SSL inspection.
                    disable          Disable.
                    deep-inspection  Full SSL inspection.
            set unsupported-version {bypass | block}   Action based on SSH version being unsupported.
                    bypass  Bypass the session.
                    block   Block the session.
            set ssh-policy-check {disable | enable}   Enable/disable SSH policy check.
            set ssh-tun-policy-check {disable | enable}   Enable/disable SSH tunnel policy check.
            set ssh-algorithm {compatible | high-encryption}   Relative strength of encryption algorithms accepted during negotiation.
                    compatible       Allow a broader set of encryption algorithms for best compatibility.
                    high-encryption  Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
        set whitelist {enable | disable}   Enable/disable exempting servers by FortiGuard whitelist.
        config ssl-exempt
            edit {id}
            # Servers to exempt from SSL inspection.
                set id {integer}   ID number. range[0-512]
                set type {option}   Type of address object (IPv4 or IPv6) or FortiGuard category.
                        fortiguard-category  FortiGuard category.
                        address              Firewall IPv4 address.
                        address6             Firewall IPv6 address.
                        wildcard-fqdn        Fully Qualified Domain Name with wildcard characters.
                        regex                Regular expression FQDN.
                set fortiguard-category {integer}   FortiGuard category ID. range[0-255]
                set address {string}   IPv4 address object. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
                set address6 {string}   IPv6 address object. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
                set wildcard-fqdn {string}   Exempt servers by wildcard FQDN. size[63] - datasource(s): firewall.wildcard-fqdn.custom.name,firewall.wildcard-fqdn.group.name
                set regex {string}   Exempt servers by regular expression. size[255]
            next
        set server-cert-mode {re-sign | replace}   Re-sign or replace the server's certificate.
                re-sign  Multiple clients connecting to multiple servers.
                replace  Protect an SSL server.
        set use-ssl-server {disable | enable}   Enable/disable the use of SSL server table for SSL offloading.
        set caname {string}   CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name
        set untrusted-caname {string}   Untrusted CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name
        set server-cert {string}   Certificate used by SSL Inspection to replace server certificate. size[35] - datasource(s): vpn.certificate.local.name
        config ssl-server
            edit {id}
            # SSL servers.
                set id {integer}   SSL server ID. range[0-4294967295]
                set ip {ipv4 address any}   IPv4 address of the SSL server.
                set https-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the HTTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set smtps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the SMTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set pop3s-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the POP3S handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set imaps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the IMAPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set ftps-client-cert-request {bypass | inspect | block}   Action based on client certificate request during the FTPS handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
                set ssl-other-client-cert-request {bypass | inspect | block}   Action based on client certificate request during an SSL protocol handshake.
                        bypass   Bypass the session.
                        inspect  Inspect the session.
                        block    Block the session.
            next
        set ssl-anomalies-log {disable | enable}   Enable/disable logging SSL anomalies.
        set ssl-exemptions-log {disable | enable}   Enable/disable logging SSL exemptions.
        set rpc-over-https {enable | disable}   Enable/disable inspection of RPC over HTTPS.
        set mapi-over-https {enable | disable}   Enable/disable inspection of MAPI over HTTPS.
    next
end

Additional information

The following section is for those options that require additional explanation.

allow-invalid-server-cert

During the SSL handshake, a number of checks are made to verify the validity of the certificate.

One source of the checks, is against a CA certificate store inside FortiOS. This is the same CA bundle used by the browser Mozilla Firefox.

Updates to the store are:

  • With each new version of FortiOS
  • Via internal FGD
  • Possible with some builds via FTP

Details of the CA certificate store can be found at: https://curl.haxx.se/docs/caextract.html

The following checks are made for validity:

Validity Check

Description

Signature

One of the things being checked against the CA bundle is the certificate signature. These signatures are generated via directly signing by the CA's private key.

Expiration date

All certificates have an expiry date. The date, based on the devices clock/calendar is compared to the expiry date of the certificate.

Revoked list

Periodically, certificates are revoked. If a certificate has been revoked it is put on a list. Whenever a certificate is being verified, it is checked against this list.

Self signed certificate

In the case of self-signed certificates, the IPS engine and proxy have different handling. IPS engine will keep and use the certificate self-signed certificate, but the public key will be replaced so that SSL inspection can take place. The proxy engine will re-sign the certificate with the untrusted CA certificate. The mechanics are similar but the net effect for the user is similar. The user will get warnings from browsers. The users can choose to remember the self-signed certificate in some browsers, but cannot do the same thing with the certificate re-signed with the untrusted CA.

Intermediate CA with a weak hash algorithm, such as MD5, SHA1

Some browsers like Chrome or Firefox will give a warning because of a weak signature algorithm (visit https://sha1-intermediate.badssl.com to test).

In the IPS Engine, in order to convey the weak intermediate CA back to client, the signature hash algorithm is downgraded in the re-signed server certificate to the weakest algorithm used in the original certificate chain.

In the Proxy Engine - In the case of a weak signature algorithm, the Proxy engine will treat the connection as untrusted, and re-sign the server certificate with the untrusted CA. The final user experience is different. Instead of a warning like "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM” that you would get in Chrome, you will get a warning that the certificate couldn’t be verified (because of the signing CA is not trusted or imported into the user’s web browser).