Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit an SSL/SSH inspection profile

Create or edit an SSL/SSH inspection profile

The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

  • certificate-inspection
  • deep-inspection
  • no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

Configure the following settings and then click OK to save your changes:

Name

Give the profile an easily identifiable name that references its intent.

Comments

Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

SSL Inspection Options

Enable SSL Inspection of

  • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. This is normally used when inspecting outbound internet traffic. Other SSL Inspection Options become available to configure if this option is selected.

  • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

Server certificate

Click + and select a certificate or click Create to import a certificate.

This option is available only when Protecting SSL Server is selected.

Inspection Method

Define the inspection method:

  • SSL Certificate Inspection—Only inspects the certificate, by way of the headers up to the SSL/TLS layer, and not the contents of the traffic.

  • Full SSL Inspection—Inspects the SSL/TLS encrypted traffic payload.

CA Certificate

Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

Untrusted CA certificate

Select the CA certificate to use when a CA certificate is not issued by a trusted root CA server.

Blocked certificates

Block or allow potentially malicious certificates. The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates for a detailed list of blocked certificates, including the listing reason and date.

Untrusted SSL certificates

Configure the action to take when a server certificate is not issued by a trusted CA.

  • Allow: Allow the untrusted server certificate. This is the default value.

  • Block: Block the session.

  • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

RPC over HTTPS

Enable/disable inspection of Remote Procedure Calls (RPC) over HTTPS traffic. This option is available only if Full SSL Inspection is selected.

Protocol Port Mapping

To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

Exempt from SSL Inspection

These options are for Full SSL inspection only. Use the menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses that will be exempt from SSL inspection:

Reputable Websites

Enable this option to exempt any websites identified by FortiGuard as reputable.

Web Categories

By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

Click + to add web categories to be exempt from SSL inspection.

Addresses

Click + to add web addresses to be exempt from SSL inspection.

Log SSL exemptions

Enable this option to log all SSL exemptions.

SSH Inspection Options

SSH Deep Scan

Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

Common Options

This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

Invalid SSL Certificates

  • Select Allow to allow traffic with invalid certificate.

  • Select Block to block traffic with an invalid certificate.

  • Select Custom to display more options.

Expired certificates

Select the action to take when the server certificate is expired. The default action is block.

This option is available only when Custom is selected.

Revoked certificates

Select the action to take when the server certificate is revoked. The default action is block.

This option is available only when Custom is selected.

Validation timed-out certificates

Select the action to take when the server certificate validation times out. For certificate inspection, the default action is Allow. For deep inspection, the default action is Keep Untrusted & Allow.

This option is available only when Custom is selected.

Validation failed certificates

Select the action to take when the server certificate validation fails. The default action is block.

This option is available only when Custom is selected.

Log SSL anomalies

Enable this feature to record and log traffic sessions containing invalid certificates.

By default, SSL anomalies logging is enabled. Logs are generated in the UTM log type under the SSL subtype when invalid certificates are detected.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
Tooltip

SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

HTTP/2 support in SSL inspection

Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

To set the ALPN support:

config firewall ssl-ssh-profile

edit <profile>

set supported-alpn {all | http1-1 | http2 | none}

next

end

Multiple certificates can be defined in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
To configure a policy that uses the SSL profile:
config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

Results

If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
        edit "ssl"
            config dot
                set status deep-inspection
                set client-certificate bypass
                set unsupported-ssl-version block
                set unsupported-ssl-cipher allow
                set unsupported-ssl-negotiation allow
                set expired-server-cert block
                set revoked-server-cert block
                set untrusted-server-cert allow
                set cert-validation-timeout allow
                set cert-validation-failure block
            end
        next
    end
    
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
            set block-botnet enable
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port1"
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set webfilter-profile "webfilter"
            set dnsfilter-profile "dnsfilter"
        next
    end

Client authentication with an SSL client certificate for the Original Content Server

FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

To use the SSL client certificate for server authentication:

  • Set the client certificate to inspect under the config https command.

  • Set the status of the SSL client certificate to keyring-list or ca-sign.

    • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
    • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

    By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

To provide an SSL client certificate from the keyring list:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status keyring-list

set keyring-list <keyring_list_used_to_find_client_certificate>

end

next

end

To provide an SSL client certificate signed by a CA:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status ca-sign

set caname <CA_certficate_used_to_sign_client_certificate>

end

next

end

Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

To specify the keyring list to use for the SSL client certificate:

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>

next

end

Disable IP-based URL rating

You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

To configure IP-based URL rating in an SSL/SSH inspection profile:
config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
To configure IP-based URL rating in web proxy settings:
config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end

Create or edit an SSL/SSH inspection profile

Create or edit an SSL/SSH inspection profile

The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

  • certificate-inspection
  • deep-inspection
  • no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

Configure the following settings and then click OK to save your changes:

Name

Give the profile an easily identifiable name that references its intent.

Comments

Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

SSL Inspection Options

Enable SSL Inspection of

  • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. This is normally used when inspecting outbound internet traffic. Other SSL Inspection Options become available to configure if this option is selected.

  • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

Server certificate

Click + and select a certificate or click Create to import a certificate.

This option is available only when Protecting SSL Server is selected.

Inspection Method

Define the inspection method:

  • SSL Certificate Inspection—Only inspects the certificate, by way of the headers up to the SSL/TLS layer, and not the contents of the traffic.

  • Full SSL Inspection—Inspects the SSL/TLS encrypted traffic payload.

CA Certificate

Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

Untrusted CA certificate

Select the CA certificate to use when a CA certificate is not issued by a trusted root CA server.

Blocked certificates

Block or allow potentially malicious certificates. The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates for a detailed list of blocked certificates, including the listing reason and date.

Untrusted SSL certificates

Configure the action to take when a server certificate is not issued by a trusted CA.

  • Allow: Allow the untrusted server certificate. This is the default value.

  • Block: Block the session.

  • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

RPC over HTTPS

Enable/disable inspection of Remote Procedure Calls (RPC) over HTTPS traffic. This option is available only if Full SSL Inspection is selected.

Protocol Port Mapping

To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

Exempt from SSL Inspection

These options are for Full SSL inspection only. Use the menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses that will be exempt from SSL inspection:

Reputable Websites

Enable this option to exempt any websites identified by FortiGuard as reputable.

Web Categories

By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

Click + to add web categories to be exempt from SSL inspection.

Addresses

Click + to add web addresses to be exempt from SSL inspection.

Log SSL exemptions

Enable this option to log all SSL exemptions.

SSH Inspection Options

SSH Deep Scan

Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

Common Options

This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

Invalid SSL Certificates

  • Select Allow to allow traffic with invalid certificate.

  • Select Block to block traffic with an invalid certificate.

  • Select Custom to display more options.

Expired certificates

Select the action to take when the server certificate is expired. The default action is block.

This option is available only when Custom is selected.

Revoked certificates

Select the action to take when the server certificate is revoked. The default action is block.

This option is available only when Custom is selected.

Validation timed-out certificates

Select the action to take when the server certificate validation times out. For certificate inspection, the default action is Allow. For deep inspection, the default action is Keep Untrusted & Allow.

This option is available only when Custom is selected.

Validation failed certificates

Select the action to take when the server certificate validation fails. The default action is block.

This option is available only when Custom is selected.

Log SSL anomalies

Enable this feature to record and log traffic sessions containing invalid certificates.

By default, SSL anomalies logging is enabled. Logs are generated in the UTM log type under the SSL subtype when invalid certificates are detected.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
  4. Click Close to leave the preview.
Tooltip

SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

HTTP/2 support in SSL inspection

Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

To set the ALPN support:

config firewall ssl-ssh-profile

edit <profile>

set supported-alpn {all | http1-1 | http2 | none}

next

end

Multiple certificates can be defined in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
To configure a policy that uses the SSL profile:
config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

Results

If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

To configure DNS inspection of DoT and DoH queries in the CLI:
  1. Configure the SSL-SSH profile:
    config firewall ssl-ssh-profile
        edit "ssl"
            config dot
                set status deep-inspection
                set client-certificate bypass
                set unsupported-ssl-version block
                set unsupported-ssl-cipher allow
                set unsupported-ssl-negotiation allow
                set expired-server-cert block
                set revoked-server-cert block
                set untrusted-server-cert allow
                set cert-validation-timeout allow
                set cert-validation-failure block
            end
        next
    end
    
  2. Configure the DNS filter profile:
    config dnsfilter profile
        edit "dnsfilter"
            config ftgd-dns
                config filters
                    edit 1
                        set category 30
                        set action block
                    next
                end
            end
            set block-botnet enable
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port1"
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set webfilter-profile "webfilter"
            set dnsfilter-profile "dnsfilter"
        next
    end

Client authentication with an SSL client certificate for the Original Content Server

FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

To use the SSL client certificate for server authentication:

  • Set the client certificate to inspect under the config https command.

  • Set the status of the SSL client certificate to keyring-list or ca-sign.

    • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
    • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

    By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

To provide an SSL client certificate from the keyring list:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status keyring-list

set keyring-list <keyring_list_used_to_find_client_certificate>

end

next

end

To provide an SSL client certificate signed by a CA:

config firewall ssl-ssh-profile

edit <profile_name>

config https

set client-certificate inspect

end

config ssl-client-certificate

set status ca-sign

set caname <CA_certficate_used_to_sign_client_certificate>

end

next

end

Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

To specify the keyring list to use for the SSL client certificate:

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>

next

end

Disable IP-based URL rating

You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

To configure IP-based URL rating in an SSL/SSH inspection profile:
config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
To configure IP-based URL rating in web proxy settings:
config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end