Fortinet black logo

Administration Guide

Create a new SSL inspection and authentication policy

Create a new SSL inspection and authentication policy

This section describes how to create a new SSL inspection and authentication policy. This policy type is essentially a firewall policy for policy-based policy packages.

See NGFW policy in the FortiOS Administration Guide for more information.

The SSL Inspection & Authentication policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package.

To create a new SSL inspection and authentication policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select SSL Inspection & Authentication.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    ID

    Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

    Once a policy ID has been configured it cannot be changed.

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source

    Select the source address, address groups, virtual IPs, virtual IP groups, user, user groups, and FSSO groups.

    Enforce ZTNA

    Enable or disable ZTNA.

    EMS Tag

    Select the FortiClient EMS tag to match.

    This option is only available if Enforce ZTNA is enabled.

    Geographic IP Tag

    Select the Geographic IP tag to match.

    This option is only available if Enforce ZTNA is enabled.

    Destination

    Select the destination address, address groups, virtual IPs, virtual IP groups, and services.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    SSL/SSH Inspection

    Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

anti-replay

Enable or disable anti-replay checking.

enable

auth-cert

Select the HTTPS server certificate for policy authentication.

none

auth-path

Enable or disable authentication-based routing.

disable

auth-redirect-addr

Select the HTTP-to-HTTPS redirect address for firewall authentication.

none

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

block-notification

Enable or disable block notification.

disable

cgn-eif

Enable or disable CGN endpoint independent filtering.

disable

cgn-eim

Enable or disable CGN endpoint independent mapping.

disable

cgn-log-server-grp

Select the NP log server group.

none

cgn-resource-quota

Set the allowed number of blocks assigned to a source IP address.

16

cgn-session-quota

Set the allowed concurrent sessions available for a source IP address.

16777215

custom-log-fields

Select custom fields to append to log messages for this policy.

none

delay-tcp-npu-session

Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake.

disable

diffserv-copy

Enable or disable copying of the DSCP values from the original direction to the reply direction.

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure diffservcode-forward.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dsri

Enable to ignore HTTP server responses.

disable

dstaddr-negate

Enable to negate the destination IP address.

disable

dstaddr6-negate

Enable to negate the destination IPv6 address.

disable

dynamic-shaping

Enable or disable dynamic RADIUS-defined traffic shaping.

disable

email-collect

Enable or disable email collection.

disable

fec

Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device.

disable

firewall-session-dirty

Select how to handle sessions if the configuration of this firewall policy changes.

check-all

ffsso-agent-for-ntlm

Select the FSSO agent for NTLM authentication.

none

geoip-anycast

Enable or disable recognition of anycast IP addresses using the geography IP database.

disable

geoip-match

Select whether to match the address based on the physical or registered location.

physical-location

identity-based-route

Select the identity-based routing rule.

none

internet-service-negate

Enable to negate the internet service set in the policy.

disable

internet-service-src-negate

Enable to negate the source internet service set in this policy.

disable

internet-service6

Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service6-custom

Select a custom IPv6 internet service.

none

internet-service6-custom-group

Select a custom IPv6 internet service group.

none

internet-service6-group

Select an IPv6 internet service group.

none

internet-service6-name

Select an IPv6 internet service.

none

internet-service6-negate

Enable to negate the source IPv6 internet service set in this policy.

disable

internet-service6-src

Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

disable

internet-service6-src-custom

Select the custom IPv6 internet service source.

none

internet-service6-src-custom-group

Select the custom IPv6 source group.

none

internet-service6-src-group

Select the IPv6 source group.

none

internet-service6-src-name

Select the IPv6 source.

none

internet-service6-src-negate

Enable to negate the value set in internet-service6-src.

disable

match-vip

Enable or disable matching of packets that have had their destination address changed by a VIP.

disable

match-vip-only

Enable or disable matching only those packets that have had their destination addresses change by a VIP.

disable

natinbound

Enable or disable applying destination NAT to inbound traffic.

disable

natip

Set the source NAT IP address for inbound traffic.

0.0.0.0/0.0.0.0

natoutbound

Enable or disable applying destination NAT to outbound traffic.

disable

network-service-dynamic

Select a dynamic network service.

none

network-service-src-dynamic

Select a dynamic network service source.

none

np-acceleration

Enable or disable UTM network processor acceleration.

disable

ntlm

Enable or disable NTLM authentication.

disable

ntlm-enabled-browsers

Set the HTTP-User-Agent value of supported browsers.

none

ntlm-guest

Enable or disable NTLM guest user access.

disable

outbound

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

passive-wan-health-measurement

Enable or disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.

disable.

permit-any-host

Enable or disable accepting UDP packets from any host.

disable

permit-stun-host

Enable or disable accepting UDP packets from any session traversal utilities for NAT (STUN) host.

disable

policy-expiry

Enable or disable policy expiry.

disable

policy-expiry-date

If policy-expiry is enabled, set the policy expiry date.

0000-00-00,00:00:00

policy-offload

Enable or disable hardware session setup for CGNAT.

disable

radius-mac-auth-bypass

Enable or disable MAC authentication bypass. The bypassed MAC address must be received from the RADIUS server.

disable

redirect-url

Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

none

reputation-direction

Set the destination of the initial traffic for reputation to take effect.

destination

reputation-direction6

Set the destination of the initial traffic for IPv6 reputation to take effect.

destination

reputation-minimum

Set the minimum reputation to take action.

0

reputation-minimum6

Set the minimum IPv6 reputation to take action.

0

rtp-addr

If this is an RTP NAT policy, set the address names.

none

rtp-nat

Enable or disable real time protocol (RTP) NAT.

disable

schedule-timeout

Enable or disable ending current sessions when the schedule object times out. Disable allows sessions to end from inactivity.

disable

sctp-filter-profile

Select an existing SCTP filter profile.

none

send-deny-packet

Enable or disable sending a reply when a session is denied or blocked by a firewall policy.

disable

service-negate

Enable or disable negation of the service set in the policy.

disable

session-ttl

Enter a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

sgt

Enter security group tags (SGT).

none

sgt-check

Enable or disable SGT check.

disable

src-vendor-mac

Select the vendor MAC source.

none

srcaddr-negate

Enable or disable negation of the source address.

disable

srcaddr6-negate

Enable or disable negation of the source IPv6 address.

disable

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

tcp-mss-receiver

Enter the receiver’s TCP maximum segment size (MSS).

0

tcp-mss-sender

Enter the sender’s TCP MSS.

0

tcp-session-without-syn

Enable or disable creation of a TCP session without the SYN flag.

disable

tcp-timeout-pid

Select the TCP timeout profile.

none

timeout-send-rst

Enable or disable the sending of RST packets when TCP sessions expire

disable

tos

Enter the type of service (TOS) value used for comparison.

0

tos-mask

Enter the bit mask for TOS. Non-zero bit positions are used for comparison while zero bit positions are ignored.

0

tos-negate

Enable or disable to negate the TOS match.

disable

udp-timeout-pid

Select the UDP timeout profile.

none

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

vlan-cos-fwd

Select the VLAN forward direction user priority. The available values are:

  • 255 (passthrough)

  • 0 (lowest) - 7 (highest)

255

vlan-cos-rev

Select the VLAN reverse direction user priority. The available values are:

  • 255 (passthrough)

  • 0 (lowest) - 7 (highest)

255

vlan-filter

Set VLAN filters.

none

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

Select the WAN optimization as active, passive, or off.

active

wanopt-passive-opt

Select WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

Select a WAN optimization peer (IPv4 only).

none

wanopt-profile

Select a WAN optimization profile (IPv4 only).

none

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable the web cache for HTTPS (IPv4 only).

none

webproxy-forward-server

Select the webproxy forward server (IPv4 only).

none

webproxy-profile

Select the webproxy profile (IPv4 only).

none

Create a new SSL inspection and authentication policy

This section describes how to create a new SSL inspection and authentication policy. This policy type is essentially a firewall policy for policy-based policy packages.

See NGFW policy in the FortiOS Administration Guide for more information.

The SSL Inspection & Authentication policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package.

To create a new SSL inspection and authentication policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select SSL Inspection & Authentication.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    ID

    Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

    Once a policy ID has been configured it cannot be changed.

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source

    Select the source address, address groups, virtual IPs, virtual IP groups, user, user groups, and FSSO groups.

    Enforce ZTNA

    Enable or disable ZTNA.

    EMS Tag

    Select the FortiClient EMS tag to match.

    This option is only available if Enforce ZTNA is enabled.

    Geographic IP Tag

    Select the Geographic IP tag to match.

    This option is only available if Enforce ZTNA is enabled.

    Destination

    Select the destination address, address groups, virtual IPs, virtual IP groups, and services.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    SSL/SSH Inspection

    Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

anti-replay

Enable or disable anti-replay checking.

enable

auth-cert

Select the HTTPS server certificate for policy authentication.

none

auth-path

Enable or disable authentication-based routing.

disable

auth-redirect-addr

Select the HTTP-to-HTTPS redirect address for firewall authentication.

none

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

block-notification

Enable or disable block notification.

disable

cgn-eif

Enable or disable CGN endpoint independent filtering.

disable

cgn-eim

Enable or disable CGN endpoint independent mapping.

disable

cgn-log-server-grp

Select the NP log server group.

none

cgn-resource-quota

Set the allowed number of blocks assigned to a source IP address.

16

cgn-session-quota

Set the allowed concurrent sessions available for a source IP address.

16777215

custom-log-fields

Select custom fields to append to log messages for this policy.

none

delay-tcp-npu-session

Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake.

disable

diffserv-copy

Enable or disable copying of the DSCP values from the original direction to the reply direction.

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure diffservcode-forward.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dsri

Enable to ignore HTTP server responses.

disable

dstaddr-negate

Enable to negate the destination IP address.

disable

dstaddr6-negate

Enable to negate the destination IPv6 address.

disable

dynamic-shaping

Enable or disable dynamic RADIUS-defined traffic shaping.

disable

email-collect

Enable or disable email collection.

disable

fec

Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device.

disable

firewall-session-dirty

Select how to handle sessions if the configuration of this firewall policy changes.

check-all

ffsso-agent-for-ntlm

Select the FSSO agent for NTLM authentication.

none

geoip-anycast

Enable or disable recognition of anycast IP addresses using the geography IP database.

disable

geoip-match

Select whether to match the address based on the physical or registered location.

physical-location

identity-based-route

Select the identity-based routing rule.

none

internet-service-negate

Enable to negate the internet service set in the policy.

disable

internet-service-src-negate

Enable to negate the source internet service set in this policy.

disable

internet-service6

Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service6-custom

Select a custom IPv6 internet service.

none

internet-service6-custom-group

Select a custom IPv6 internet service group.

none

internet-service6-group

Select an IPv6 internet service group.

none

internet-service6-name

Select an IPv6 internet service.

none

internet-service6-negate

Enable to negate the source IPv6 internet service set in this policy.

disable

internet-service6-src

Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

disable

internet-service6-src-custom

Select the custom IPv6 internet service source.

none

internet-service6-src-custom-group

Select the custom IPv6 source group.

none

internet-service6-src-group

Select the IPv6 source group.

none

internet-service6-src-name

Select the IPv6 source.

none

internet-service6-src-negate

Enable to negate the value set in internet-service6-src.

disable

match-vip

Enable or disable matching of packets that have had their destination address changed by a VIP.

disable

match-vip-only

Enable or disable matching only those packets that have had their destination addresses change by a VIP.

disable

natinbound

Enable or disable applying destination NAT to inbound traffic.

disable

natip

Set the source NAT IP address for inbound traffic.

0.0.0.0/0.0.0.0

natoutbound

Enable or disable applying destination NAT to outbound traffic.

disable

network-service-dynamic

Select a dynamic network service.

none

network-service-src-dynamic

Select a dynamic network service source.

none

np-acceleration

Enable or disable UTM network processor acceleration.

disable

ntlm

Enable or disable NTLM authentication.

disable

ntlm-enabled-browsers

Set the HTTP-User-Agent value of supported browsers.

none

ntlm-guest

Enable or disable NTLM guest user access.

disable

outbound

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

passive-wan-health-measurement

Enable or disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.

disable.

permit-any-host

Enable or disable accepting UDP packets from any host.

disable

permit-stun-host

Enable or disable accepting UDP packets from any session traversal utilities for NAT (STUN) host.

disable

policy-expiry

Enable or disable policy expiry.

disable

policy-expiry-date

If policy-expiry is enabled, set the policy expiry date.

0000-00-00,00:00:00

policy-offload

Enable or disable hardware session setup for CGNAT.

disable

radius-mac-auth-bypass

Enable or disable MAC authentication bypass. The bypassed MAC address must be received from the RADIUS server.

disable

redirect-url

Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

none

reputation-direction

Set the destination of the initial traffic for reputation to take effect.

destination

reputation-direction6

Set the destination of the initial traffic for IPv6 reputation to take effect.

destination

reputation-minimum

Set the minimum reputation to take action.

0

reputation-minimum6

Set the minimum IPv6 reputation to take action.

0

rtp-addr

If this is an RTP NAT policy, set the address names.

none

rtp-nat

Enable or disable real time protocol (RTP) NAT.

disable

schedule-timeout

Enable or disable ending current sessions when the schedule object times out. Disable allows sessions to end from inactivity.

disable

sctp-filter-profile

Select an existing SCTP filter profile.

none

send-deny-packet

Enable or disable sending a reply when a session is denied or blocked by a firewall policy.

disable

service-negate

Enable or disable negation of the service set in the policy.

disable

session-ttl

Enter a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

sgt

Enter security group tags (SGT).

none

sgt-check

Enable or disable SGT check.

disable

src-vendor-mac

Select the vendor MAC source.

none

srcaddr-negate

Enable or disable negation of the source address.

disable

srcaddr6-negate

Enable or disable negation of the source IPv6 address.

disable

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

tcp-mss-receiver

Enter the receiver’s TCP maximum segment size (MSS).

0

tcp-mss-sender

Enter the sender’s TCP MSS.

0

tcp-session-without-syn

Enable or disable creation of a TCP session without the SYN flag.

disable

tcp-timeout-pid

Select the TCP timeout profile.

none

timeout-send-rst

Enable or disable the sending of RST packets when TCP sessions expire

disable

tos

Enter the type of service (TOS) value used for comparison.

0

tos-mask

Enter the bit mask for TOS. Non-zero bit positions are used for comparison while zero bit positions are ignored.

0

tos-negate

Enable or disable to negate the TOS match.

disable

udp-timeout-pid

Select the UDP timeout profile.

none

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

vlan-cos-fwd

Select the VLAN forward direction user priority. The available values are:

  • 255 (passthrough)

  • 0 (lowest) - 7 (highest)

255

vlan-cos-rev

Select the VLAN reverse direction user priority. The available values are:

  • 255 (passthrough)

  • 0 (lowest) - 7 (highest)

255

vlan-filter

Set VLAN filters.

none

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

Select the WAN optimization as active, passive, or off.

active

wanopt-passive-opt

Select WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

Select a WAN optimization peer (IPv4 only).

none

wanopt-profile

Select a WAN optimization profile (IPv4 only).

none

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable the web cache for HTTPS (IPv4 only).

none

webproxy-forward-server

Select the webproxy forward server (IPv4 only).

none

webproxy-profile

Select the webproxy profile (IPv4 only).

none