Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.4.6 Administration Guide
    7.4.6
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Create or edit an SSL/SSH inspection profile

    Create or edit an SSL/SSH inspection profile

    The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

    • certificate-inspection
    • deep-inspection
    • no-inspection

    The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

    To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

    Configure the following settings and then click OK to save your changes:

    Name

    Give the profile an easily identifiable name that references its intent.

    Comments

    Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

    SSL Inspection Options

    Enable SSL Inspection of

    • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. This is normally used when inspecting outbound internet traffic. Other SSL Inspection Options become available to configure if this option is selected.

    • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

    Server certificate

    Click + and select a certificate or click Create to import a certificate.

    This option is available only when Protecting SSL Server is selected.

    Inspection Method

    Define the inspection method:

    • SSL Certificate Inspection—Only inspects the certificate, by way of the headers up to the SSL/TLS layer, and not the contents of the traffic.

    • Full SSL Inspection—Inspects the SSL/TLS encrypted traffic payload.

    CA Certificate

    Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

    Untrusted CA certificate

    Select the CA certificate to use when a CA certificate is not issued by a trusted root CA server.

    Blocked certificates

    Block or allow potentially malicious certificates. The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates for a detailed list of blocked certificates, including the listing reason and date.

    Untrusted SSL certificates

    Configure the action to take when a server certificate is not issued by a trusted CA.

    • Allow: Allow the untrusted server certificate. This is the default value.

    • Block: Block the session.

    • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

    Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

    RPC over HTTPS

    Enable/disable inspection of Remote Procedure Calls (RPC) over HTTPS traffic. This option is available only if Full SSL Inspection is selected.

    Protocol Port Mapping

    To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

    Encrypted Client Hello

    Configure whether to block or allow TLS connections that use Encrypted Client Hello (ECH) in certificate inspection mode. This option is available only when SSL Certificate Inspection is selected.

    See Control TLS connections that utilize Encrypted Client Hello for more information.

    Exempt from SSL Inspection

    These options are for Full SSL inspection only. Use the menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses that will be exempt from SSL inspection:

    Reputable Websites

    Enable this option to exempt any websites identified by FortiGuard as reputable.

    Web Categories

    By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

    Click + to add web categories to be exempt from SSL inspection.

    Addresses

    Click + to add web addresses to be exempt from SSL inspection.

    Log SSL exemptions

    Enable this option to log all SSL exemptions.

    SSH Inspection Options

    SSH Deep Scan

    Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

    Common Options

    This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

    Invalid SSL Certificates

    • Select Allow to allow traffic with invalid certificate.

    • Select Block to block traffic with an invalid certificate.

    • Select Custom to display more options.

    Expired certificates

    Select the action to take when the server certificate is expired. The default action is block.

    This option is available only when Custom is selected.

    Revoked certificates

    Select the action to take when the server certificate is revoked. The default action is block.

    This option is available only when Custom is selected.

    Validation timed-out certificates

    Select the action to take when the server certificate validation times out. For certificate inspection, the default action is Allow. For deep inspection, the default action is Keep Untrusted & Allow.

    This option is available only when Custom is selected.

    Validation failed certificates

    Select the action to take when the server certificate validation fails. The default action is block.

    This option is available only when Custom is selected.

    Log SSL anomalies

    Enable this feature to record and log traffic sessions containing invalid certificates.

    By default, SSL anomalies logging is enabled. Logs are generated in the UTM log type under the SSL subtype when invalid certificates are detected.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
    To use the API Preview:
    1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
    2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
    3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
    4. Click Close to leave the preview.
    Tooltip

    SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

    HTTP/2 support in SSL inspection

    Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

    To set the ALPN support:

    config firewall ssl-ssh-profile

    edit <profile>

    set supported-alpn {all | http1-1 | http2 | none}

    next

    end

    Multiple certificates can be defined in an SSL profile in replace mode

    Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

    When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

    To configure an SSL profile in replace mode with multiple certificates:
    config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
    To configure a policy that uses the SSL profile:
    config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

    Results

    If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

    If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

    DNS inspection with DoT and DoH

    DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

    To configure DNS inspection of DoT and DoH queries in the CLI:
    1. Configure the SSL-SSH profile:
      config firewall ssl-ssh-profile
    edit "ssl"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-version block
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end
    2. Configure the DNS filter profile:
      config dnsfilter profile
    edit "dnsfilter"
        config ftgd-dns
            config filters
                edit 1
                    set category 30
                    set action block
                next
            end
        end
        set block-botnet enable
    next
end
    3. Configure the firewall policy:
      config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set webfilter-profile "webfilter"
        set dnsfilter-profile "dnsfilter"
    next
end

    Client authentication with an SSL client certificate for the Original Content Server

    FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

    To use the SSL client certificate for server authentication:

    • Set the client certificate to inspect under the config https command.

    • Set the status of the SSL client certificate to keyring-list or ca-sign.

      • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
      • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

      By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

    To provide an SSL client certificate from the keyring list:

    config firewall ssl-ssh-profile

    edit <profile_name>

    config https

    set client-certificate inspect

    end

    config ssl-client-certificate

    set status keyring-list

    set keyring-list <keyring_list_used_to_find_client_certificate>

    end

    next

    end

    To provide an SSL client certificate signed by a CA:

    config firewall ssl-ssh-profile

    edit <profile_name>

    config https

    set client-certificate inspect

    end

    config ssl-client-certificate

    set status ca-sign

    set caname <CA_certficate_used_to_sign_client_certificate>

    end

    next

    end

    Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

    To specify the keyring list to use for the SSL client certificate:

    config firewall ssl keyring-list

    edit <keyring_list_used_to_find_client_certificate>

    next

    end

    Disable IP-based URL rating

    You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

    To configure IP-based URL rating in an SSL/SSH inspection profile:
    config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
    To configure IP-based URL rating in web proxy settings:
    config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end
    Previous
    Next

    Create or edit an SSL/SSH inspection profile

    Create or edit an SSL/SSH inspection profile

    The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be cloned:

    • certificate-inspection
    • deep-inspection
    • no-inspection

    The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.

    To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

    Configure the following settings and then click OK to save your changes:

    Name

    Give the profile an easily identifiable name that references its intent.

    Comments

    Enter any additional information that might be needed by administrators, as a reminder of the profileʼs purpose and scope. This setting is optional.

    SSL Inspection Options

    Enable SSL Inspection of

    • Multiple Clients Connecting to Multiple Servers—Select this option for generic policies where the destination is unknown. This is normally used when inspecting outbound internet traffic. Other SSL Inspection Options become available to configure if this option is selected.

    • Protecting SSL Server—Select this option when setting up a profile customized for a specific SSL server with a specific certificate.

    Server certificate

    Click + and select a certificate or click Create to import a certificate.

    This option is available only when Protecting SSL Server is selected.

    Inspection Method

    Define the inspection method:

    • SSL Certificate Inspection—Only inspects the certificate, by way of the headers up to the SSL/TLS layer, and not the contents of the traffic.

    • Full SSL Inspection—Inspects the SSL/TLS encrypted traffic payload.

    CA Certificate

    Select a CA certificate from the drop-down menu or select Download Certificate.You need to have the certificate installed in your browser, or you might see certificate warnings.

    Untrusted CA certificate

    Select the CA certificate to use when a CA certificate is not issued by a trusted root CA server.

    Blocked certificates

    Block or allow potentially malicious certificates. The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that contain SHA1 fingerprints of malicious certificates. By default, these certificates are blocked. Click View Blocked Certificates for a detailed list of blocked certificates, including the listing reason and date.

    Untrusted SSL certificates

    Configure the action to take when a server certificate is not issued by a trusted CA.

    • Allow: Allow the untrusted server certificate. This is the default value.

    • Block: Block the session.

    • Ignore: This option is for Full SSL inspection only. It re-signs the server certificate as trusted. When configured in the GUI for certificate inspection, it has no effect, and the setting is not saved.

    Click View Trusted CAs List to see a list of the factory bundled and user imported CAs that are trusted by the FortiProxy unit.

    RPC over HTTPS

    Enable/disable inspection of Remote Procedure Calls (RPC) over HTTPS traffic. This option is available only if Full SSL Inspection is selected.

    Protocol Port Mapping

    To optimize the resources of the unit, enable or disable the mapping and inspection of protocols. The default port numbers are automatically filled in, but you can change them.

    Encrypted Client Hello

    Configure whether to block or allow TLS connections that use Encrypted Client Hello (ECH) in certificate inspection mode. This option is available only when SSL Certificate Inspection is selected.

    See Control TLS connections that utilize Encrypted Client Hello for more information.

    Exempt from SSL Inspection

    These options are for Full SSL inspection only. Use the menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses that will be exempt from SSL inspection:

    Reputable Websites

    Enable this option to exempt any websites identified by FortiGuard as reputable.

    Web Categories

    By default, the categories of Finance and Banking, Health and Wellness, and Personal Privacy have been added because they are most likely to require a specific certificate.

    Click + to add web categories to be exempt from SSL inspection.

    Addresses

    Click + to add web addresses to be exempt from SSL inspection.

    Log SSL exemptions

    Enable this option to log all SSL exemptions.

    SSH Inspection Options

    SSH Deep Scan

    Enable to perform SSH deep scan and then enter the SSH port to use for the SSH deep scan.

    Common Options

    This section is available only when Multiple Clients Connecting to Multiple Servers is selected.

    Invalid SSL Certificates

    • Select Allow to allow traffic with invalid certificate.

    • Select Block to block traffic with an invalid certificate.

    • Select Custom to display more options.

    Expired certificates

    Select the action to take when the server certificate is expired. The default action is block.

    This option is available only when Custom is selected.

    Revoked certificates

    Select the action to take when the server certificate is revoked. The default action is block.

    This option is available only when Custom is selected.

    Validation timed-out certificates

    Select the action to take when the server certificate validation times out. For certificate inspection, the default action is Allow. For deep inspection, the default action is Keep Untrusted & Allow.

    This option is available only when Custom is selected.

    Validation failed certificates

    Select the action to take when the server certificate validation fails. The default action is block.

    This option is available only when Custom is selected.

    Log SSL anomalies

    Enable this feature to record and log traffic sessions containing invalid certificates.

    By default, SSL anomalies logging is enabled. Logs are generated in the UTM log type under the SSL subtype when invalid certificates are detected.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
    To use the API Preview:
    1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
    2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
    3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
    4. Click Close to leave the preview.
    Tooltip

    SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

    HTTP/2 support in SSL inspection

    Security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or 1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

    To set the ALPN support:

    config firewall ssl-ssh-profile

    edit <profile>

    set supported-alpn {all | http1-1 | http2 | none}

    next

    end

    Multiple certificates can be defined in an SSL profile in replace mode

    Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the certificate.

    When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server certificate in the list, the first server certificate in the list is used as a replacement.

    To configure an SSL profile in replace mode with multiple certificates:
    config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end
    To configure a policy that uses the SSL profile:
    config firewall policy
    edit 1
        set name "multi-cert"
        set srcintf "port6"
        set dstintf "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "multi-cert"
        set av-profile "default"
        set webfilter-profile "default"
        set logtraffic all
    next
end

    Results

    If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the matched server certificate.

    If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile, then the FortiProxy unit uses the first server certificate in the list.

    DNS inspection with DoT and DoH

    DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. The WAD is able to handle DoT and DoH and redirect DNS queries to the DNS proxy for further inspection.

    To configure DNS inspection of DoT and DoH queries in the CLI:
    1. Configure the SSL-SSH profile:
      config firewall ssl-ssh-profile
    edit "ssl"
        config dot
            set status deep-inspection
            set client-certificate bypass
            set unsupported-ssl-version block
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
        end
    next
end
    2. Configure the DNS filter profile:
      config dnsfilter profile
    edit "dnsfilter"
        config ftgd-dns
            config filters
                edit 1
                    set category 30
                    set action block
                next
            end
        end
        set block-botnet enable
    next
end
    3. Configure the firewall policy:
      config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "ssl"
        set webfilter-profile "webfilter"
        set dnsfilter-profile "dnsfilter"
    next
end

    Client authentication with an SSL client certificate for the Original Content Server

    FortiProxy can provide a client certificate for authentication to the Original Content Server on behalf of a user.

    To use the SSL client certificate for server authentication:

    • Set the client certificate to inspect under the config https command.

    • Set the status of the SSL client certificate to keyring-list or ca-sign.

      • The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the keyring list for authenticated users. See SSL Keyring.
      • The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The signed client certificate has the Common Name set to the authenticated userʼs user name.

      By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client certificate is not provided.

    To provide an SSL client certificate from the keyring list:

    config firewall ssl-ssh-profile

    edit <profile_name>

    config https

    set client-certificate inspect

    end

    config ssl-client-certificate

    set status keyring-list

    set keyring-list <keyring_list_used_to_find_client_certificate>

    end

    next

    end

    To provide an SSL client certificate signed by a CA:

    config firewall ssl-ssh-profile

    edit <profile_name>

    config https

    set client-certificate inspect

    end

    config ssl-client-certificate

    set status ca-sign

    set caname <CA_certficate_used_to_sign_client_certificate>

    end

    next

    end

    Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers (UUIDs) are automatically assigned. See SSL Keyring for information about uploading keyring lists.

    To specify the keyring list to use for the SSL client certificate:

    config firewall ssl keyring-list

    edit <keyring_list_used_to_find_client_certificate>

    next

    end

    Disable IP-based URL rating

    You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is enabled.

    To configure IP-based URL rating in an SSL/SSH inspection profile:
    config firewall ssl-ssh-profile
    edit <name>
        set ssl-exemption-ip-rating {enable | disable}
    next
end
    To configure IP-based URL rating in web proxy settings:
    config firewall profile-protocol-options
    edit <protocol>
        config http
            set address-ip-rating {enable | disable}
        end
    next
end
    Previous
    Next