SSL & SSH Inspection

Secure sockets layer (SSL) content scanning and inspection allows you to apply antivirus scanning, web filtering, and email filtering to encrypted traffic. You can apply SSL inspection profiles to firewall policies.

FortiOS includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

  • certificate-inspection
  • deep-inspection
  • no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

Deep inspection (also known as SSL/SSH inspection) is typically applied to outbound policies where destinations are unknown. Depending on your policy requirements, you can configure the following:

  • Which CA certificate will be used to decrypt the SSL encrypted traffic
  • Which SSL protocols will be inspected
  • Which ports will be associated with which SSL protocols for inspection
  • Whether or not to allow invalid SSL certificates
  • Whether or not SSH traffic will be inspected
  • Which addresses or web category allowlists can bypass SSL inspection

The following topics provide information about SSL & SSH Inspection: