SSL & SSH Inspection
Secure Sockets Layer (SSL) content scanning and inspection allows you to apply antivirus scanning, web filtering, and email filtering to encrypted traffic. You can apply SSL inspection profiles to firewall policies.
FortiOS includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:
- certificate-inspection
- deep-inspection
- no-inspection
The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.
Deep inspection (also known as SSL/SSH inspection) is typically applied to outbound policies where destinations are unknown. Depending on your policy requirements, you can configure the following:
- Which CA certificate will be used to decrypt the SSL encrypted traffic
- Which SSL protocols will be inspected
- Which ports will be associated with which SSL protocols for inspection
- Whether or not to allow invalid SSL certificates
- Whether or not SSH traffic will be inspected
- Which addresses or web category allowlists can bypass SSL inspection
The following topics provide information about SSL & SSH Inspection:
- Certificate inspection
- Deep inspection
- Protecting an SSL server
- Handling SSL offloaded traffic from an external decryption device
- SSH traffic file scanning
- Redirect to WAD after handshake completion
- HTTP/2 support in proxy mode SSL inspection
- Define multiple certificates in an SSL profile in replace mode
- Disabling the FortiGuard IP address rating