Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the headers up to the SSL/TLS layer.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-inspection.

SSL inspection options

The following options are available when configuring an SSL inspection profile:

Enable SSL inspection of

Select Multiple Clients Connecting to Multiple Servers.

This is normally used when inspecting outbound internet traffic

Inspection method

Select SSL Certificate Inspection.

CA certificate

Use the default Fortinet_CA_SSL certificate.

Blocked certificates

The FortiGate receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked.

Click View Blocked Certificates to see a detailed list.

Untrusted SSL certificates

Configure the action to take when a server certificate is not issued by a trusted CA.