Fortinet black logo

Administration Guide

Deep inspection

Deep inspection

You can configure address and web category allowlists to bypass SSL deep inspection.

Reasons for using deep inspection

While Hypertext Transfer Protocol Secure (HTTPS) offers protection on the Internet by applying Secure Sockets Layer (SSL) encryption to web traffic, encrypted traffic can be used to get around your network's normal defenses.

For example, you might download a file containing a virus during an e-commerce session, or you might receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network's security measures.

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.

Protocol port mapping

To optimize the FortiGate’s resources, the mapping and inspection of the following protocols can be enabled or disabled:

  • HTTPS
  • SMTPS
  • POP3S
  • IMAPS
  • FTPS
  • DNS over TLS

Each protocol has a default TCP port. The ports can be modified to inspect any port with flowing traffic. The packet headers indicate which protocol generated the packet.

Note

Protocol port mapping only works with proxy-based inspection. Flow-based inspection inspects all ports regardless of the protocol port mapping configuration.

Browser messages when using deep inspection

When the FortiGate re-encrypts the content, it uses a stored certificate, such as Fortinet_CA_SSL, Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.

Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGate-trusted CA Fortinet_CA_SSL and import it into your browser.

If you still get messages about untrusted certificates after importing Fortinet_CA_SSL into your browser, it is due to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.

To import Fortinet_CA_SSL into your browser:
  1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection and edit the deep-inspection profile.

    The default CA Certificate is Fortinet_CA_SSL.

  2. Click Download and save the certificate to the management computer.
  3. On the client PC, use the Certificate Import Wizard to install the certificate into the Trusted Root Certificate Authorities store.

    If a security warning appears, select Yes to install the certificate.

Exempt web sites from deep inspection

If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address, category, or allowlist.

If you know the address of the server you want to exempt, you can exempt that address. You can exempt specific address type including IP address, IP address range, IP subnet, FQDN, wildcard-FQDN, and geography.

If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category, which includes all finance and bank web sites identified in FortiGuard. For information about creating and using custom local and remote categories, see Web rating override and Threat feeds.

If you want to exempt commonly trusted web sites, you can bypass the SSL allowlist in the SSL/SSH profile by enabling Reputable websites. The allowlist includes common web sites trusted by FortiGuard.

SSL version support

There are two ways to limit which SSL versions deep inspection is applied to.

  • In the global attributes:
    config system global
        set strong-crypto enable
    end
  • In the protocol configuration of a deep inspection profile:
    config firewall ssl-ssh-profile
        edit <name>
            config {ssl | https | ftps}
                set min-allowed-ssl-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | tls-1.3}
            end
        next
    end

Enabling strong-crypto in the global attributes sets the min-allowed-ssl-version to tls-1.1 by default.

When a session is attempted using an SSL version below the minimum allowed version, the session can be blocked (default) or allowed.

To configure the action based on the SSL version used being unsupported:
config firewall ssl-ssh-profile
    edit <name>
        config {ssl | https | ftps | imaps | pop3s | smtps | dot}
            set unsupported-ssl-version {allow | block}
        end
    next
end

More Links

Deep inspection

You can configure address and web category allowlists to bypass SSL deep inspection.

Reasons for using deep inspection

While Hypertext Transfer Protocol Secure (HTTPS) offers protection on the Internet by applying Secure Sockets Layer (SSL) encryption to web traffic, encrypted traffic can be used to get around your network's normal defenses.

For example, you might download a file containing a virus during an e-commerce session, or you might receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network's security measures.

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.

Protocol port mapping

To optimize the FortiGate’s resources, the mapping and inspection of the following protocols can be enabled or disabled:

  • HTTPS
  • SMTPS
  • POP3S
  • IMAPS
  • FTPS
  • DNS over TLS

Each protocol has a default TCP port. The ports can be modified to inspect any port with flowing traffic. The packet headers indicate which protocol generated the packet.

Note

Protocol port mapping only works with proxy-based inspection. Flow-based inspection inspects all ports regardless of the protocol port mapping configuration.

Browser messages when using deep inspection

When the FortiGate re-encrypts the content, it uses a stored certificate, such as Fortinet_CA_SSL, Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.

Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGate-trusted CA Fortinet_CA_SSL and import it into your browser.

If you still get messages about untrusted certificates after importing Fortinet_CA_SSL into your browser, it is due to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.

To import Fortinet_CA_SSL into your browser:
  1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection and edit the deep-inspection profile.

    The default CA Certificate is Fortinet_CA_SSL.

  2. Click Download and save the certificate to the management computer.
  3. On the client PC, use the Certificate Import Wizard to install the certificate into the Trusted Root Certificate Authorities store.

    If a security warning appears, select Yes to install the certificate.

Exempt web sites from deep inspection

If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address, category, or allowlist.

If you know the address of the server you want to exempt, you can exempt that address. You can exempt specific address type including IP address, IP address range, IP subnet, FQDN, wildcard-FQDN, and geography.

If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category, which includes all finance and bank web sites identified in FortiGuard. For information about creating and using custom local and remote categories, see Web rating override and Threat feeds.

If you want to exempt commonly trusted web sites, you can bypass the SSL allowlist in the SSL/SSH profile by enabling Reputable websites. The allowlist includes common web sites trusted by FortiGuard.

SSL version support

There are two ways to limit which SSL versions deep inspection is applied to.

  • In the global attributes:
    config system global
        set strong-crypto enable
    end
  • In the protocol configuration of a deep inspection profile:
    config firewall ssl-ssh-profile
        edit <name>
            config {ssl | https | ftps}
                set min-allowed-ssl-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | tls-1.3}
            end
        next
    end

Enabling strong-crypto in the global attributes sets the min-allowed-ssl-version to tls-1.1 by default.

When a session is attempted using an SSL version below the minimum allowed version, the session can be blocked (default) or allowed.

To configure the action based on the SSL version used being unsupported:
config firewall ssl-ssh-profile
    edit <name>
        config {ssl | https | ftps | imaps | pop3s | smtps | dot}
            set unsupported-ssl-version {allow | block}
        end
    next
end