Fortinet black logo

Administration Guide

Certificate inspection

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the headers up to the SSL/TLS layer.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-inspection.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Untrusted SSL certificates and Server Certificate SNI checks are not performed. If these features are needed, use proxy‑based inspection mode.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

To add a port to the inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Create a new profile, or clone the default profile.

  3. If you do no know what port is used in the HTTPS web server, under Protocol Port Mappingenable Inspect All Ports.

    If you know the port, such as port 8443, then set HTTPS to 443,8443.

  4. Configure the remaining setting as needed.

  5. Click OK.

Common options

Invalid SSL certificates can be blocked, allowed, or a different actions can be configured for the different invalid certificates types. See Configuring an SSL/SSH inspection profile.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Expired certificates and Revoked certificates checks are not performed, and the Validation timed-out certificates and Validation failed certificates actions do not apply. If these features are needed, use proxy‑based inspection mode.

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the headers up to the SSL/TLS layer.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-inspection.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Untrusted SSL certificates and Server Certificate SNI checks are not performed. If these features are needed, use proxy‑based inspection mode.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

To add a port to the inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Create a new profile, or clone the default profile.

  3. If you do no know what port is used in the HTTPS web server, under Protocol Port Mappingenable Inspect All Ports.

    If you know the port, such as port 8443, then set HTTPS to 443,8443.

  4. Configure the remaining setting as needed.

  5. Click OK.

Common options

Invalid SSL certificates can be blocked, allowed, or a different actions can be configured for the different invalid certificates types. See Configuring an SSL/SSH inspection profile.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Expired certificates and Revoked certificates checks are not performed, and the Validation timed-out certificates and Validation failed certificates actions do not apply. If these features are needed, use proxy‑based inspection mode.