Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Certificate and deep inspection modes

Certificate and deep inspection modes

Note

These FortiSASE features require deep inspection to decrypt and inspect content in encrypted traffic:

  • Split DNS
  • Antivirus
  • Web Filtering with Inline-CASB
  • File Filter
  • Data loss prevention
  • Application Control with Inline-CASB

Without deep inspection configured on FortiSASE and the corresponding certificate authority (CA) certificate automatically installed on the endpoint with FortiClient, the aforementioned features do not work as desired with encrypted traffic.

You can configure FortiSASE SSL inspection to use certificate or deep inspection.

Mode

Description

Certificate inspection

FortiSASE inspects only the header information up to the SSL/TLS layer. Certificate inspection verifies the web server identities by analyzing the SSL/TLS negotiations by looking at the server certificate and TLS connection parameters. Therefore web filter can perform FortiGuard category web filtering, URL filtering, and other filtering that does not require looking at the payload when you enable certificate inspection.

Deep inspection

FortiSASE decrypts and inspects the content to find and block threats. It then reencrypts the content and sends it to the real recipient. You can configure exemptions for deep inspection.

While HTTPS offers protection on the internet by applying SSL encryption to web traffic, malicious traffic can also use SSL encryption to get around your network's normal defenses.

For example, you may download a file containing a virus during an e-commerce session or receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. You can use SSL inspection to protect the infiltration by scanning for malicious content in your HTTPS web traffic or identifying phishing content in encrypted mail exchanges. SSL inspection can also defend against the exfiltration process while an infected host calls home to a C&C server or leaks company secrets over encrypted sessions.

When you use deep inspection, FortiSASE serves as the intermediary to connect to the SSL server. It decrypts and inspect the content to find threats and block them. The recipient is presented with the FortiSASE certificate or a custom certificate instead of the real server certificate. FortiClient receives the certificate automatically and endpoint users do not see any certificate browser warnings.
Previous
Next

Certificate and deep inspection modes

Note

These FortiSASE features require deep inspection to decrypt and inspect content in encrypted traffic:

  • Split DNS
  • Antivirus
  • Web Filtering with Inline-CASB
  • File Filter
  • Data loss prevention
  • Application Control with Inline-CASB

Without deep inspection configured on FortiSASE and the corresponding certificate authority (CA) certificate automatically installed on the endpoint with FortiClient, the aforementioned features do not work as desired with encrypted traffic.

You can configure FortiSASE SSL inspection to use certificate or deep inspection.

Mode

Description

Certificate inspection

FortiSASE inspects only the header information up to the SSL/TLS layer. Certificate inspection verifies the web server identities by analyzing the SSL/TLS negotiations by looking at the server certificate and TLS connection parameters. Therefore web filter can perform FortiGuard category web filtering, URL filtering, and other filtering that does not require looking at the payload when you enable certificate inspection.

Deep inspection

FortiSASE decrypts and inspects the content to find and block threats. It then reencrypts the content and sends it to the real recipient. You can configure exemptions for deep inspection.

While HTTPS offers protection on the internet by applying SSL encryption to web traffic, malicious traffic can also use SSL encryption to get around your network's normal defenses.

For example, you may download a file containing a virus during an e-commerce session or receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. You can use SSL inspection to protect the infiltration by scanning for malicious content in your HTTPS web traffic or identifying phishing content in encrypted mail exchanges. SSL inspection can also defend against the exfiltration process while an infected host calls home to a C&C server or leaks company secrets over encrypted sessions.

When you use deep inspection, FortiSASE serves as the intermediary to connect to the SSL server. It decrypts and inspect the content to find threats and block them. The recipient is presented with the FortiSASE certificate or a custom certificate instead of the real server certificate. FortiClient receives the certificate automatically and endpoint users do not see any certificate browser warnings.
Previous
Next