Create or edit an SSL/SSH inspection profile
The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:
certificate-inspection
deep-inspection
no-inspection
The custom-deep-inspection
profile can be edited, or you can create your own SSL/SSH inspection profiles.
To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.
Configure the following settings and then click OK to save your changes:
Name |
Give the profile an easily identifiable name that references its intent. |
Comments |
Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional. |
SSL Inspection Options |
|
Enable SSL Inspection of |
|
Server certificate |
Click + and select a certificate or click Create to import a certificate. This option is available only when Protecting SSL Server is selected. |
Inspection Method |
Define the inspection method:
|
CA Certificate |
Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings. |
Untrusted CA certificate |
Select the CA certificate to use when a CA certificate is not issued by a trusted root CA server. |
Blocked certificates |
Block or allow potentially malicious certificates. The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates for a detailed list of blocked certificates, including the listing reason and date. |
Untrusted SSL certificates |
Configure the action to take when a server certificate is not issued by a trusted CA.
Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit. |
RPC over HTTPS |
Enable/disable inspection of Remote Procedure Calls (RPC) over HTTPS traffic. This option is available only if Full SSL Inspection is selected. |
Protocol Port Mapping |
To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them. |
Exempt from SSL Inspection |
These options are for Full SSL inspection only. Use the menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses that will be exempt from SSL inspection: |
Reputable Websites |
Enable this option to exempt any websites identified by FortiGuard as reputable. |
Web Categories |
By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate. Click + to add web categories to be exempt from SSL inspection. |
Addresses |
Click + to add web addresses to be exempt from SSL inspection. |
Log SSL exemptions |
Enable this option to log all SSL exemptions. |
SSH Inspection Options |
|
SSH Deep Scan |
Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan. |
Common Options |
This section is available only when Multiple Clients Connecting to Multiple Servers is selected. |
Invalid SSL Certificates |
|
Expired certificates |
Select the action to take when the server certificate is expired. The default action is block. This option is available only when Custom is selected. |
Revoked certificates |
Select the action to take when the server certificate is revoked. The default action is block. This option is available only when Custom is selected. |
Validation timed-out certificates |
Select the action to take when the server certificate validation times out. For certificate inspection, the default action is Allow. For deep inspection, the default action is Keep Untrusted & Allow. This option is available only when Custom is selected. |
Validation failed certificates |
Select the action to take when the server certificate validation fails. The default action is block. This option is available only when Custom is selected. |
Log SSL anomalies |
Enable this feature to record and log traffic sessions containing invalid certificates. By default, SSL anomalies logging is enabled. Logs are generated in the UTM log type under the SSL subtype when invalid certificates are detected. |
API Preview |
The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions. |
To use the API Preview:
- Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
- Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
- Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
- Click Close to leave the preview.
SSL options can be configured in SSL/SSH profiles even when the protocol is disabled |
HTTP/2 support in SSL inspection
Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.
To set the ALPN support:
config firewall ssl-ssh-profile
edit <profile>
set supported-alpn {all | http1-1 | http2 | none}
next
end
Multiple certificates can be defined in an SSL profile in replace mode
Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.
When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.
To configure an SSL profile in replace mode with multiple certificates:
config firewall ssl-ssh-profile edit "multi-cert" set server-cert-mode replace set server-cert "bbb" "aaa" next end
To configure a policy that uses the SSL profile:
config firewall policy edit 1 set name "multi-cert" set srcintf "port6" set dstintf "port11" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "multi-cert" set av-profile "default" set webfilter-profile "default" set logtraffic all next end
Results
If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.
If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.
DNS inspection with DoT and DoH
DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.
To configure DNS inspection of DoT and DoH queries in the CLI:
- Configure the SSL-SSH profile:
config firewall ssl-ssh-profile edit "ssl" config dot set status deep-inspection set client-certificate bypass set unsupported-ssl-version block set unsupported-ssl-cipher allow set unsupported-ssl-negotiation allow set expired-server-cert block set revoked-server-cert block set untrusted-server-cert allow set cert-validation-timeout allow set cert-validation-failure block end next end
- Configure the DNS filter profile:
config dnsfilter profile edit "dnsfilter" config ftgd-dns config filters edit 1 set category 30 set action block next end end set block-botnet enable next end
- Configure the firewall policy:
config firewall policy edit 1 set srcintf "port1" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "protocol" set ssl-ssh-profile "ssl" set webfilter-profile "webfilter" set dnsfilter-profile "dnsfilter" next end
Client authentication with an SSL client certificate for the Original Content Server
FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.
To use the SSL client certificate for server authentication:
-
Set the client certificate to
inspect
under theconfig https
command. -
Set the status of the SSL client certificate to
keyring-list
orca-sign
.- The
keyring-list
setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring. - The
ca-sign
setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.
By default, the status of the SSL client certificate is set to
do-not-offer
, which means that the SSL client certificate is not provided. - The
To provide an SSL client certificate from the keyring list:
config firewall ssl-ssh-profile
edit <profile_name>
config https
set client-certificate inspect
end
config ssl-client-certificate
set status keyring-list
set keyring-list <keyring_list_used_to_find_client_certificate>
end
next
end
To provide an SSL client certificate signed by a CA:
config firewall ssl-ssh-profile
edit <profile_name>
config https
set client-certificate inspect
end
config ssl-client-certificate
set status ca-sign
set caname <CA_certficate_used_to_sign_client_certificate>
end
next
end
Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.
To specify the keyring list to use for the SSL client certificate:
config firewall ssl keyring-list
edit <keyring_list_used_to_find_client_certificate>
next
end
Disable IP-based URL rating
You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.
To configure IP-based URL rating in an SSL/SSH inspection profile:
config firewall ssl-ssh-profile edit <name> set ssl-exemption-ip-rating {enable | disable} next end
To configure IP-based URL rating in web proxy settings:
config firewall profile-protocol-options edit <protocol> config http set address-ip-rating {enable | disable} end next end