Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 7.2.0 User Guide
    7.2.0
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    Configuring an SSL/SSH inspection profile

    Configuring an SSL/SSH inspection profile

    To configure an SSL/SSH inspection profile:

    1. Go to Security > Firewall Objects.

    2. Select SSL/SSH Inspection from the Security Profiles dropdown.

    3. Click Create or select an existing profile from the list and click Edit.

    4. In the form, enter the following information:

      Settings

      Guidelines

      Name

      Required. Enter a name for the profile.

      Comments

      Optionally, enter comments.

      SSL Inspection Options

      Enable SSL Inspection of

      Select one of the options and configure the following settings:

      Multiple Clients Connecting to Multiple Servers

      Settings

      Guidelines

      Inspection Method

      Select the method to use for inspection:

      • SSL Certificate Inspection

      • Full SSL Inspection

      CA Certificate

      Select the certificate to use.

      Blocked Certificate

      		Allow or Block known malicious certificates.

      Untrusted SSL Certificates

      Select the action to take when a server certificate is not issued by a trusted CA.

      • Allow

      • Block

      • Ignore

      Ignore is only available if Full SSL Inspection is selected.

      Server Certificate SNI Check

      Check the SNI in the hellp message with the CN or SAN field in the returned server certificate.

      • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

      • Strict: If mismatched, close the connection.

      • Disable: Server certificate SNI check is disabled.

      Enforce SSL Cipher Compliance

      Enable or disable enforcement of SSL cipher compliance.

      This option is only available if Full SSL Inspection is selected.

      Enforce SSL Negotiation Compliance

      Enable of disable enforcement of SSL negotiation compliance.

      This option is only available if Full SSL Inspection is selected.

      RPC over HTTPS

      Enable or disable allowing remote procedure calls (RPC) over HTTPS. This protocol is used by Microsoft Exchange Servers to perform virus scanning on emails that use RPC over HTTP.

      This option is only available if Full SSL Inspection is selected.

      Protocol Port Mapping

      For each protocol, enable or disable inspection and specify the port.

      Inspect All Ports

      Enable or disable inspection of all ports.

      Exempt from SSL Inspection

      Reputable Websites

      Enable or disable exempting reputable websites from SSL inspection. This allowlist includes common web sites trusted by FortiGuard.

      This option is only available if Full SSL Inspection is selected.

      Web Categories

      Select categories of websites to exempt from SSL inspection.

      This option is only available if Full SSL Inspection is selected.

      Addresses

      Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

      This option is only available if Full SSL Inspection is selected.

      Log SSL Exemptions

      This option is only available if Full SSL Inspection is selected.

      SSH Inspection Options

      SSH Deep Scan

      Enable or disable SSH deep scanning, then specify the SSH port.

      Common Options

      Invalid SSL Certificates

      Select whether to Allow or Block all invalid SSL certificates, or select Custom to configure handling for each type of invalid certificate.

      Expired Certificates

      Select the action to take when the certificate is expired.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Revoked Certificates

      Select the action to take when the certificate is revoked.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Validation Timed-Out Certificates

      Select the action to take when the certificate validation times out.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Validation Failed Certificates

      Select the action to take when the certificate validation fails.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Log SSL Anomalies

      Enable or disable logging of SSL anomalies.

      Protecting SSL Server

      Settings

      Guidelines

      Server Certificate

      Select the certificate to use.

      Protocol Port Mapping

      For each protocol, enable or disable inspection and specify the port.

      Inspect All Ports

      Enable or disable inspection of all ports.

      Exempt from SSL Inspection

      Addresses

      Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

      This option is only available if Full SSL Inspection is selected.

      Log SSL Exemptions

      This option is only available if Full SSL Inspection is selected.

    5. lClick Save to save the profile.

    Previous
    Next

    Configuring an SSL/SSH inspection profile

    Configuring an SSL/SSH inspection profile

    To configure an SSL/SSH inspection profile:

    1. Go to Security > Firewall Objects.

    2. Select SSL/SSH Inspection from the Security Profiles dropdown.

    3. Click Create or select an existing profile from the list and click Edit.

    4. In the form, enter the following information:

      Settings

      Guidelines

      Name

      Required. Enter a name for the profile.

      Comments

      Optionally, enter comments.

      SSL Inspection Options

      Enable SSL Inspection of

      Select one of the options and configure the following settings:

      Multiple Clients Connecting to Multiple Servers

      Settings

      Guidelines

      Inspection Method

      Select the method to use for inspection:

      • SSL Certificate Inspection

      • Full SSL Inspection

      CA Certificate

      Select the certificate to use.

      Blocked Certificate

      		Allow or Block known malicious certificates.

      Untrusted SSL Certificates

      Select the action to take when a server certificate is not issued by a trusted CA.

      • Allow

      • Block

      • Ignore

      Ignore is only available if Full SSL Inspection is selected.

      Server Certificate SNI Check

      Check the SNI in the hellp message with the CN or SAN field in the returned server certificate.

      • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

      • Strict: If mismatched, close the connection.

      • Disable: Server certificate SNI check is disabled.

      Enforce SSL Cipher Compliance

      Enable or disable enforcement of SSL cipher compliance.

      This option is only available if Full SSL Inspection is selected.

      Enforce SSL Negotiation Compliance

      Enable of disable enforcement of SSL negotiation compliance.

      This option is only available if Full SSL Inspection is selected.

      RPC over HTTPS

      Enable or disable allowing remote procedure calls (RPC) over HTTPS. This protocol is used by Microsoft Exchange Servers to perform virus scanning on emails that use RPC over HTTP.

      This option is only available if Full SSL Inspection is selected.

      Protocol Port Mapping

      For each protocol, enable or disable inspection and specify the port.

      Inspect All Ports

      Enable or disable inspection of all ports.

      Exempt from SSL Inspection

      Reputable Websites

      Enable or disable exempting reputable websites from SSL inspection. This allowlist includes common web sites trusted by FortiGuard.

      This option is only available if Full SSL Inspection is selected.

      Web Categories

      Select categories of websites to exempt from SSL inspection.

      This option is only available if Full SSL Inspection is selected.

      Addresses

      Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

      This option is only available if Full SSL Inspection is selected.

      Log SSL Exemptions

      This option is only available if Full SSL Inspection is selected.

      SSH Inspection Options

      SSH Deep Scan

      Enable or disable SSH deep scanning, then specify the SSH port.

      Common Options

      Invalid SSL Certificates

      Select whether to Allow or Block all invalid SSL certificates, or select Custom to configure handling for each type of invalid certificate.

      Expired Certificates

      Select the action to take when the certificate is expired.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Revoked Certificates

      Select the action to take when the certificate is revoked.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Validation Timed-Out Certificates

      Select the action to take when the certificate validation times out.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Validation Failed Certificates

      Select the action to take when the certificate validation fails.

      This option is only available when Invalid SSL Certificates is set to Custom.

      Log SSL Anomalies

      Enable or disable logging of SSL anomalies.

      Protecting SSL Server

      Settings

      Guidelines

      Server Certificate

      Select the certificate to use.

      Protocol Port Mapping

      For each protocol, enable or disable inspection and specify the port.

      Inspect All Ports

      Enable or disable inspection of all ports.

      Exempt from SSL Inspection

      Addresses

      Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

      This option is only available if Full SSL Inspection is selected.

      Log SSL Exemptions

      This option is only available if Full SSL Inspection is selected.

    5. lClick Save to save the profile.

    Previous
    Next