Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide

Create or edit an SSL/SSH inspection profile

7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.9
7.2.8
7.2.7
7.2.0
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0
Copy Link
Copy Doc ID b7ee159a-9f2d-11ec-9fd1-fa163e15d75b:669878
Download PDF

Create or edit an SSL/SSH inspection profile

The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

  • certificate-inspection
  • deep-inspection
  • no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

Configure the following settings and then click OK to save your changes:

Name

Give the profile an easily identifiable name that references its intent.

Comments

Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

SSL Inspection Options

Enable SSL Inspection of

  • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. The Exempt from SSL Inspection and Common Options options are only available with this option enabled.

  • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

Server certificate

Click + and select a certificate or click Create to import a certificate.

This option is available only when Protecting SSL Server is selected.

Inspection Method

This option is available only when Multiple Clients Connecting to Multiple Servers is selected.

  • SSL Certificate Inspection—Only inspects the certificate, not the contents of the traffic.

  • Full SSL Inspection—Inspects all of the traffic.

CA Certificate

Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

This option is available only when Multiple Clients Connecting to Multiple Servers is selected.

Blocked certificates

The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates to see a detailed list.

Untrusted SSL certificates

Configure the action to take when a server certificate is not issued by a trusted CA.

  • Allow: Allow the untrusted server certificate. This is the default value.

  • Block: Block the session.

  • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

Server certificate SNI check

Check the SNI in the hello message with the CN or SAN field in the returned server certificate.

  • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

  • Strict: If mismatched, close the connection.

  • Disable: Server certificate SNI check is disabled.

Enforce SSL cipher compliance

Enable to enforce SSL cipher compliance.

Enforce SSL negotiation compliance

Enable to enforce SSL negotiation compliance.

RPC over HTTPS

Enable to allow RPC over HTTPS.

Protocol Port Mapping

To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

Exempt from SSL Inspection

Exempt web categories or specific addresses from SSL inspection. This section is available only when Multiple Clients Connecting to Multiple Servers and a protocol under Protocol Port Mapping are enabled.

Reputable Websites

Enable this option to exempt any websites identified by FortiGuard as reputable.

Web Categories

By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

Click + to add web categories to be exempt from SSL inspection.

Addresses

Click + to add web addresses to be exempt from SSL inspection.

Log SSL exemptions

Enable this option to log all SSL exemptions.

SSH Inspection Options

SSH Deep Scan

Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

Common Options

This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

Invalid SSL Certificates

  • Select Allow to allow traffic with invalid certificate.

  • Select Block to block traffic with an invalid certificate.

  • Select Custom to display more options.

Expired certificates

Select the action to take when the server certificate is expired. The default action is block.

This option is available only when Custom is selected.

Revoked certificates

Select the action to take when the server certificate is revoked. The default action is block.

This option is available only when Custom is selected.

Validation timed-out certificates

Select the action to take when the server certificate validation times out. The default action is to keep untrusted and allow.

This option is available only when Custom is selected.

Validation failed certificates

Select the action to take when the server certificate validation fails. The default action is block.

This option is available only when Custom is selected.

Log SSL anomalies

Enable this option to record traffic sessions containing untrusted or expired certificates.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
Tooltip

SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

HTTP/2 support in SSL inspection

Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

To set the ALPN support:

config firewall ssl-ssh-profile

edit <profile>

set supported-alpn {all | http1-1 | http2 | none}

next

end

Multiple certificates can be defined in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
To configure a policy that uses the SSL profile:
config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

Results

If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
    edit "ssl"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-version block
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end
  2. Configure the DNS filter profile:
    config dnsfilter profile
    edit "dnsfilter"
        config ftgd-dns
            config filters
                edit 1
                    set category 30
                    set action block
                next
            end
        end
        set block-botnet enable
    next
end
  3. Configure the firewall policy:
    config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set webfilter-profile "webfilter"
        set dnsfilter-profile "dnsfilter"
    next
end

Client authentication with an SSL client certificate for the Original Content Server

FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

To use the SSL client certificate for server authentication:

  • Set the client certificate to inspect under the config https command.

  • Set the status of the SSL client certificate to keyring-list or ca-sign.

    • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
    • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

    By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

To provide an SSL client certificate from the keyring list:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status keyring-list

set keyring-list <keyring_list_used_to_find_client_certificate>

end

next

end

To provide an SSL client certificate signed by a CA:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status ca-sign

set caname <CA_certficate_used_to_sign_client_certificate>

end

next

end

Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

To specify the keyring list to use for the SSL client certificate:

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>

next

end

Disable IP-based URL rating

You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

To configure IP-based URL rating in an SSL/SSH inspection profile:
config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
To configure IP-based URL rating in web proxy settings:
config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end
Previous
Next

Create or edit an SSL/SSH inspection profile

The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

  • certificate-inspection
  • deep-inspection
  • no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

Configure the following settings and then click OK to save your changes:

Name

Give the profile an easily identifiable name that references its intent.

Comments

Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

SSL Inspection Options

Enable SSL Inspection of

  • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. The Exempt from SSL Inspection and Common Options options are only available with this option enabled.

  • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

Server certificate

Click + and select a certificate or click Create to import a certificate.

This option is available only when Protecting SSL Server is selected.

Inspection Method

This option is available only when Multiple Clients Connecting to Multiple Servers is selected.

  • SSL Certificate Inspection—Only inspects the certificate, not the contents of the traffic.

  • Full SSL Inspection—Inspects all of the traffic.

CA Certificate

Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

This option is available only when Multiple Clients Connecting to Multiple Servers is selected.

Blocked certificates

The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates to see a detailed list.

Untrusted SSL certificates

Configure the action to take when a server certificate is not issued by a trusted CA.

  • Allow: Allow the untrusted server certificate. This is the default value.

  • Block: Block the session.

  • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

Server certificate SNI check

Check the SNI in the hello message with the CN or SAN field in the returned server certificate.

  • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

  • Strict: If mismatched, close the connection.

  • Disable: Server certificate SNI check is disabled.

Enforce SSL cipher compliance

Enable to enforce SSL cipher compliance.

Enforce SSL negotiation compliance

Enable to enforce SSL negotiation compliance.

RPC over HTTPS

Enable to allow RPC over HTTPS.

Protocol Port Mapping

To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

Exempt from SSL Inspection

Exempt web categories or specific addresses from SSL inspection. This section is available only when Multiple Clients Connecting to Multiple Servers and a protocol under Protocol Port Mapping are enabled.

Reputable Websites

Enable this option to exempt any websites identified by FortiGuard as reputable.

Web Categories

By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

Click + to add web categories to be exempt from SSL inspection.

Addresses

Click + to add web addresses to be exempt from SSL inspection.

Log SSL exemptions

Enable this option to log all SSL exemptions.

SSH Inspection Options

SSH Deep Scan

Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

Common Options

This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

Invalid SSL Certificates

  • Select Allow to allow traffic with invalid certificate.

  • Select Block to block traffic with an invalid certificate.

  • Select Custom to display more options.

Expired certificates

Select the action to take when the server certificate is expired. The default action is block.

This option is available only when Custom is selected.

Revoked certificates

Select the action to take when the server certificate is revoked. The default action is block.

This option is available only when Custom is selected.

Validation timed-out certificates

Select the action to take when the server certificate validation times out. The default action is to keep untrusted and allow.

This option is available only when Custom is selected.

Validation failed certificates

Select the action to take when the server certificate validation fails. The default action is block.

This option is available only when Custom is selected.

Log SSL anomalies

Enable this option to record traffic sessions containing untrusted or expired certificates.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
Tooltip

SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

HTTP/2 support in SSL inspection

Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

To set the ALPN support:

config firewall ssl-ssh-profile

edit <profile>

set supported-alpn {all | http1-1 | http2 | none}

next

end

Multiple certificates can be defined in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
To configure a policy that uses the SSL profile:
config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

Results

If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
    edit "ssl"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-version block
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end
  2. Configure the DNS filter profile:
    config dnsfilter profile
    edit "dnsfilter"
        config ftgd-dns
            config filters
                edit 1
                    set category 30
                    set action block
                next
            end
        end
        set block-botnet enable
    next
end
  3. Configure the firewall policy:
    config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set webfilter-profile "webfilter"
        set dnsfilter-profile "dnsfilter"
    next
end

Client authentication with an SSL client certificate for the Original Content Server

FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

To use the SSL client certificate for server authentication:

  • Set the client certificate to inspect under the config https command.

  • Set the status of the SSL client certificate to keyring-list or ca-sign.

    • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
    • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

    By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

To provide an SSL client certificate from the keyring list:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status keyring-list

set keyring-list <keyring_list_used_to_find_client_certificate>

end

next

end

To provide an SSL client certificate signed by a CA:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status ca-sign

set caname <CA_certficate_used_to_sign_client_certificate>

end

next

end

Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

To specify the keyring list to use for the SSL client certificate:

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>

next

end

Disable IP-based URL rating

You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

To configure IP-based URL rating in an SSL/SSH inspection profile:
config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
To configure IP-based URL rating in web proxy settings:
config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end
Previous
Next