TLS encryption is used to secure traffic, but the encrypted traffic can be used to get around your network's normal defenses. SSL/TLS deep inspection allows firewalls to inspect traffic even when they are encrypted. When you use deep inspection, the FortiGate serves as the intermediary to connect to the SSL server, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content with a certificate that is signed by the FortiGate, and sends it to the real recipient. The FortiGate acts as a subordinate CA to sign the certificate on the fly, as it re-encrypts traffic. The FortiGate usually uses a subordinate CA certificate that is signed by the company's private CA, such as a FortiAuthenticator or a Windows server with certificate services. For information about uploading a CA certificate and private key for deep inspection, see Certificates in the FortiOS Administration Guide.
To implement seamless deep inspection, users must trust the certificate that is signed by the FortiGate, and there must be certificate chain back to the trusted root CA that is installed on the user's endpoint. If the root certificate is not installed, the user receives a certificate warning every time they access a website that is scanned by the FortiGate using deep inspection. Administrators should provide the CA certificate to the end users if deep inspection will be used.
Users should be made aware that their communication is subject to these security measures, and that their privacy while protected by a FortiGate that is performing deep inspection cannot be guaranteed. Performing deep inspection might be undesirable when users are accessing certain web categories, such banking or personal health related sites. When creating SSL/SSH inspection profiles that use full SSL inspection, the Finance and Banking, Health and Wellness, and Personal Privacy categories are exempt from inspection by default. Administrators can customize these categories, enable Reputable websites, and add individual addresses to the SSL exemptions as required.