firewall ssl-ssh-profile
Use this command to configure UTM deep inspection options profiles for firewall policies. Deep inspection options configure how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS. Client comforting options are controlled by the corresponding non-secure protocol options in firewall profile-protocol-options.
To configure the ssl-server, change client-cert-request from bypass.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
config ssh set ssh-policy-check {enable | disable} set ssh-tun-policy-check {enable | disable} next ... |
Options to enable SSH proxy and SSH tunnel policy check . When |
config ssh set unsupported-version {bypass | block} next ... |
Option to either bypass or block unsupported versions of SSH. Note that deep scan is only supported by SSH 2.0. |
config ssh set ssh-algorithm {compatible | high-encryption} next ... |
The level of SSH encryption can be set for SSH sessions on a per-profile basis. Either use a broader set of encryption algorithms to be used (better for compatibility), or only allow AES-CTR, AES-GCM and high encryption algorithms to be used for the session. |
config firewall ssl-ssh-profile edit {name} # Configure SSL/SSH protocol options. set name {string} Name. size[35] set comment {string} Optional comments. size[255] config ssl set inspect-all {disable | certificate-inspection | deep-inspection} Level of SSL inspection. disable Disable. certificate-inspection Inspect SSL handshake only. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config https set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | certificate-inspection | deep-inspection} Configure protocol inspection status. disable Disable. certificate-inspection Inspect SSL handshake only. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config ftps set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | deep-inspection} Configure protocol inspection status. disable Disable. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config imaps set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | deep-inspection} Configure protocol inspection status. disable Disable. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config pop3s set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | deep-inspection} Configure protocol inspection status. disable Disable. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config smtps set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | deep-inspection} Configure protocol inspection status. disable Disable. deep-inspection Full SSL inspection. set client-cert-request {bypass | inspect | block} Action based on client certificate request. bypass Bypass the session. inspect Inspect the session. block Block the session. set unsupported-ssl {bypass | inspect | block} Action based on the SSL encryption used being unsupported. bypass Bypass the session. inspect Inspect the session. block Block the session. set allow-invalid-server-cert {enable | disable} When enabled, allows SSL sessions whose server certificate validation failed. set untrusted-cert {allow | block | ignore} Allow, ignore, or block the untrusted SSL session server certificate. allow Allow the untrusted server certificate. block Block the connection when an untrusted server certificate is detected. ignore Always take the server certificate as trusted. config ssh set ports {integer} Ports to use for scanning (1 - 65535, default = 443). range[1-65535] set status {disable | deep-inspection} Configure protocol inspection status. disable Disable. deep-inspection Full SSL inspection. set inspect-all {disable | deep-inspection} Level of SSL inspection. disable Disable. deep-inspection Full SSL inspection. set unsupported-version {bypass | block} Action based on SSH version being unsupported. bypass Bypass the session. block Block the session. set ssh-policy-check {disable | enable} Enable/disable SSH policy check. set ssh-tun-policy-check {disable | enable} Enable/disable SSH tunnel policy check. set ssh-algorithm {compatible | high-encryption} Relative strength of encryption algorithms accepted during negotiation. compatible Allow a broader set of encryption algorithms for best compatibility. high-encryption Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms. set whitelist {enable | disable} Enable/disable exempting servers by FortiGuard whitelist. config ssl-exempt edit {id} # Servers to exempt from SSL inspection. set id {integer} ID number. range[0-512] set type {option} Type of address object (IPv4 or IPv6) or FortiGuard category. fortiguard-category FortiGuard category. address Firewall IPv4 address. address6 Firewall IPv6 address. wildcard-fqdn Fully Qualified Domain Name with wildcard characters. regex Regular expression FQDN. set fortiguard-category {integer} FortiGuard category ID. range[0-255] set address {string} IPv4 address object. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set address6 {string} IPv6 address object. size[63] - datasource(s): firewall.address6.name,firewall.addrgrp6.name set wildcard-fqdn {string} Exempt servers by wildcard FQDN. size[63] - datasource(s): firewall.wildcard-fqdn.custom.name,firewall.wildcard-fqdn.group.name set regex {string} Exempt servers by regular expression. size[255] next set server-cert-mode {re-sign | replace} Re-sign or replace the server's certificate. re-sign Multiple clients connecting to multiple servers. replace Protect an SSL server. set use-ssl-server {disable | enable} Enable/disable the use of SSL server table for SSL offloading. set caname {string} CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name set untrusted-caname {string} Untrusted CA certificate used by SSL Inspection. size[35] - datasource(s): vpn.certificate.local.name set server-cert {string} Certificate used by SSL Inspection to replace server certificate. size[35] - datasource(s): vpn.certificate.local.name config ssl-server edit {id} # SSL servers. set id {integer} SSL server ID. range[0-4294967295] set ip {ipv4 address any} IPv4 address of the SSL server. set https-client-cert-request {bypass | inspect | block} Action based on client certificate request during the HTTPS handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. set smtps-client-cert-request {bypass | inspect | block} Action based on client certificate request during the SMTPS handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. set pop3s-client-cert-request {bypass | inspect | block} Action based on client certificate request during the POP3S handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. set imaps-client-cert-request {bypass | inspect | block} Action based on client certificate request during the IMAPS handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. set ftps-client-cert-request {bypass | inspect | block} Action based on client certificate request during the FTPS handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. set ssl-other-client-cert-request {bypass | inspect | block} Action based on client certificate request during an SSL protocol handshake. bypass Bypass the session. inspect Inspect the session. block Block the session. next set ssl-anomalies-log {disable | enable} Enable/disable logging SSL anomalies. set ssl-exemptions-log {disable | enable} Enable/disable logging SSL exemptions. set rpc-over-https {enable | disable} Enable/disable inspection of RPC over HTTPS. set mapi-over-https {enable | disable} Enable/disable inspection of MAPI over HTTPS. next end
Additional information
The following section is for those options that require additional explanation.
allow-invalid-server-cert
During the SSL handshake, a number of checks are made to verify the validity of the certificate.
One source of the checks, is against a CA certificate store inside FortiOS. This is the same CA bundle used by the browser Mozilla Firefox.
Updates to the store are:
- With each new version of FortiOS
- Via internal FGD
- Possible with some builds via FTP
Details of the CA certificate store can be found at: https://curl.haxx.se/docs/caextract.html
The following checks are made for validity:
Validity Check |
Description |
---|---|
Signature |
One of the things being checked against the CA bundle is the certificate signature. These signatures are generated via directly signing by the CA's private key. |
Expiration date |
All certificates have an expiry date. The date, based on the devices clock/calendar is compared to the expiry date of the certificate. |
Revoked list |
Periodically, certificates are revoked. If a certificate has been revoked it is put on a list. Whenever a certificate is being verified, it is checked against this list. |
Self signed certificate |
In the case of self-signed certificates, the IPS engine and proxy have different handling. IPS engine will keep and use the certificate self-signed certificate, but the public key will be replaced so that SSL inspection can take place. The proxy engine will re-sign the certificate with the untrusted CA certificate. The mechanics are similar but the net effect for the user is similar. The user will get warnings from browsers. The users can choose to remember the self-signed certificate in some browsers, but cannot do the same thing with the certificate re-signed with the untrusted CA. |
Intermediate CA with a weak hash algorithm, such as MD5, SHA1 |
Some browsers like Chrome or Firefox will give a warning because of a weak signature algorithm (visit https://sha1-intermediate.badssl.com to test). In the IPS Engine, in order to convey the weak intermediate CA back to client, the signature hash algorithm is downgraded in the re-signed server certificate to the weakest algorithm used in the original certificate chain. In the Proxy Engine - In the case of a weak signature algorithm, the Proxy engine will treat the connection as untrusted, and re-sign the server certificate with the untrusted CA. The final user experience is different. Instead of a warning like "NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM” that you would get in Chrome, you will get a warning that the certificate couldn’t be verified (because of the signing CA is not trusted or imported into the user’s web browser). |