Fortinet Document Library

Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Extended SSL and certificate support in ssl-ssh-profile

FortiManager includes extended SSL and certificate support in ssl-ssh-profile.

Before the extended support, the CLI provided the following support:

invalid-server-cert - Allow or block the invalid SSL session server certificate.

untrusted-server-cert - Allow, ignore, or block the untrusted SSL session server certificate.

After the extended support was added, the CLI provides the following options:

unsupported-ssl-cipher [allow* | block]

unsupported-ssl-negotiation [allow* | block]

expired-server-cert [allow| ignore | block*]

revoked-server-cert block [allow| ignore | block*]

cert-validation-timeout [allow*| ignore | block]

cert-validation-failure [allow| ignore | block*]

To use the extended support in the GUI:
  1. Go to Device Manager > Device & Groups, and display the dashboard for a device.
    1. In the tree menu, select the device group, for example, Managed Devices.

      The list of devices display in the content pane and in the bottom tree menu.

    2. In the bottom tree menu, select a device.

      The System: Dashboard for the device displays in the content pane.

  2. If the CLI Configurations menu is hidden, click Display Options, and select CLI Configurations.

    The CLI Configurations menu is displayed.

  3. In the search box, type ssl-ssh-profile, and then select the profile.

    The firewall > ssl-ssh-profile is displayed.

  4. Select the checkbox beside custom-deep-inspection, and click Edit.

    The firewall > ssl-ssh-profile options are displayed.

  5. Scroll down to the https section, and view the following new options:

    unsupported-ssl-cipher [allow* | block]

    unsupported-ssl-negotiation [allow* | block]

    expired-server-cert [allow| ignore | block*]

    revoked-server-cert block [allow| ignore | block*]

    cert-validation-timeout [allow*| ignore | block]

    cert-validation-failure [allow| ignore | block*]

  6. In the expired-server-cert list, select allow.

  7. In the unsupported-ssl-cipher list, select block.
  8. Click OK to apply the changes.
  9. Install the changes to the FortiGate device.

    The changes are installed to the FortiGate. You can view the changes on the FortiGate unit by using the CLI.

To use the extended support in the CLI:

config firewall ssl-ssh-profile

edit "custom-deep-inspection"

set comment "Customizable deep inspection profile."

config ssl

set inspect-all disable

end

config https

set ports 443

set status deep-inspection

set proxy-after-tcp-handshake disable

set client-certificate bypass

set unsupported-ssl-cipher allow <-- New

set unsupported-ssl-negotiation allow <-- New

set expired-server-cert block <-- New

set revoked-server-cert block <-- New

set untrusted-server-cert allow

set cert-validation-timeout allow <-- New

set cert-validation-failure block <-- New

set sni-server-cert-check enable

end

next

end

Extended SSL and certificate support in ssl-ssh-profile

FortiManager includes extended SSL and certificate support in ssl-ssh-profile.

Before the extended support, the CLI provided the following support:

invalid-server-cert - Allow or block the invalid SSL session server certificate.

untrusted-server-cert - Allow, ignore, or block the untrusted SSL session server certificate.

After the extended support was added, the CLI provides the following options:

unsupported-ssl-cipher [allow* | block]

unsupported-ssl-negotiation [allow* | block]

expired-server-cert [allow| ignore | block*]

revoked-server-cert block [allow| ignore | block*]

cert-validation-timeout [allow*| ignore | block]

cert-validation-failure [allow| ignore | block*]

To use the extended support in the GUI:
  1. Go to Device Manager > Device & Groups, and display the dashboard for a device.
    1. In the tree menu, select the device group, for example, Managed Devices.

      The list of devices display in the content pane and in the bottom tree menu.

    2. In the bottom tree menu, select a device.

      The System: Dashboard for the device displays in the content pane.

  2. If the CLI Configurations menu is hidden, click Display Options, and select CLI Configurations.

    The CLI Configurations menu is displayed.

  3. In the search box, type ssl-ssh-profile, and then select the profile.

    The firewall > ssl-ssh-profile is displayed.

  4. Select the checkbox beside custom-deep-inspection, and click Edit.

    The firewall > ssl-ssh-profile options are displayed.

  5. Scroll down to the https section, and view the following new options:

    unsupported-ssl-cipher [allow* | block]

    unsupported-ssl-negotiation [allow* | block]

    expired-server-cert [allow| ignore | block*]

    revoked-server-cert block [allow| ignore | block*]

    cert-validation-timeout [allow*| ignore | block]

    cert-validation-failure [allow| ignore | block*]

  6. In the expired-server-cert list, select allow.

  7. In the unsupported-ssl-cipher list, select block.
  8. Click OK to apply the changes.
  9. Install the changes to the FortiGate device.

    The changes are installed to the FortiGate. You can view the changes on the FortiGate unit by using the CLI.

To use the extended support in the CLI:

config firewall ssl-ssh-profile

edit "custom-deep-inspection"

set comment "Customizable deep inspection profile."

config ssl

set inspect-all disable

end

config https

set ports 443

set status deep-inspection

set proxy-after-tcp-handshake disable

set client-certificate bypass

set unsupported-ssl-cipher allow <-- New

set unsupported-ssl-negotiation allow <-- New

set expired-server-cert block <-- New

set revoked-server-cert block <-- New

set untrusted-server-cert allow

set cert-validation-timeout allow <-- New

set cert-validation-failure block <-- New

set sni-server-cert-check enable

end

next

end